medicare compliance plan & program policies · the cnc board of directors, as the governing...

MEDICARE COMPLIANCE PLAN& PROGRAM POLICIES

2018

BOARD OF DIRECTORS APPROVAL

FEBRUARY 27, 2018

2 Care N’ Care Insurance Company, Inc. | February 2018

Table of Contents I. COMPLIANCE PLAN GOVERNANCE ...................................................................................................... 3

II. MEDICARE COMPLIANCE PLAN ............................................................................................................ 4

III. MEDICARE COMPLIANCE PROGRAM ELEMENTS ................................................................................. 5

1. Code of Conduct and Written Policies and Procedures .................................................................... 5

2. Compliance Officer, Compliance Committee and High Level Oversight ........................................... 6

3. Effective Training and Education ...................................................................................................... 9

4. Effective Lines of Communication .................................................................................................. 11

5. Well Publicized Disciplinary Standards ........................................................................................... 14

6. Effective System for Routine Monitoring and Identification of Compliance Risks ......................... 16

7. Procedures and Systems for Prompt Response to Compliance Issues ........................................... 19

8. Fraud, Waste and Abuse ................................................................................................................. 21

9. Notable Changes………………………………………………………………………………………….…………………………….23

10. Appendix A ‐ Compliance Program Policies & Procedures………………………………………………………….24


I. COMPLIANCE PLAN GOVERNANCE The Medicare Compliance Plan is updated annually and is approved by the Board of Directors for Care N’

Care Insurance Company, Inc. (“Care N’ Care”) and subsidiaries that hold contracts with the Centers for

Medicare & Medicaid Services (“CMS”).

The Medicare Compliance Plan is a component of Care N’ Care’s overall compliance program and

reinforces the Company’s commitment to comply with all applicable Federal and state regulations as

well as ethical standards of conduct. The overall compliance program at Care N’ Care includes the Code

of Conduct which is also endorsed and approved by the Care N’ Care Board of Directors. This

Compliance Plan incorporates the requirements and related provisions, as provided by the Centers for

Medicare & Medicaid Services (CMS), for a Medicare Advantage Organization (MAO) to establish and

maintain an effective Compliance Program for both a Medicare Advantage (Part C Plan sponsor) and a

Medicare Advantage Prescription Drug (MA‐PD Plan sponsor), hereinafter collectively referred to as

Parts C & D.

The Compliance Program and all components of the plan are designed to promote a culture of integrity,

ethical behavior and compliance with applicable laws and regulations. One of the key elements in the

Medicare compliance program is the creation of a Medicare Compliance Committee, which is charged

with supporting the Medicare Compliance Officer (“Compliance Officer”) in review and oversight of the

Medicare compliance program. The Committee is responsible to Senior Management, the Chief

Executive Officer, and the Board of Directors for reviewing the effectiveness of the Medicare compliance

program through self‐audits and monitoring of metrics and key indicators and to ensure prompt and

effective corrective actions are taken where deficiencies are noted. The Compliance Officer and the

Committee are responsible for escalating compliance deficiencies and ongoing issues of noncompliance

to senior management, the Chief Executive Officer, and the Board of Directors.

Care N’ Care makes this Medicare Compliance Plan available to all employees and Board of Directors

(the “Board”), as well as contractors, subcontractors, vendors, agents, and first‐tier, downstream and

related entities (“FDRs”). The Compliance Officer reserves the right to amend and update components

of the Medicare compliance program, including the material in this Medicare Compliance Plan, at any

time to make changes based on regulatory guidance, enhancements to the program to improve

effectiveness, or for any other reason.

All Care N’ Care employees, Directors and affiliates must read and understand the content of this

Medicare Compliance Plan and associated policies and procedures.

FDRs and other business partners have the option to:

1) Adopt the Care N’ Cares Code of Conduct, Medicare Compliance Plan, and associated

compliance policies and procedures;

2) Develop and follow their own code of conduct, compliance plan, and/or equivalent policies and

procedures that describe their commitment to comply with applicable laws and regulations; or

3) Adopt the code of conduct, compliance plan, and/or equivalent compliance policies and

procedures of another entity contracted with CMS.


If an FDR or other business partner follows a code of conduct, compliance plan, and/or equivalent

policies and procedures not developed by Care N’ Care, the Company reserves the right to review and

approve these documents.

Please contact the Compliance Officer if you have questions regarding information contained in this

Medicare Compliance Plan.

II. MEDICARE COMPLIANCE PLAN Care N' Care understands that participation in federal programs is a tremendous responsibility and has a

Compliance Program that is structured around the elements of an effective compliance program as

recommended in the Department of Health and Human Services Office of Inspector General’s (OIG)

Compliance Program Guidance publications and the Federal Sentencing Commission’s Guidelines to

ensure that Medicare Part C and Part D practices are conducted properly and to ensure compliance with

applicable federal, state and local statutory and regulatory obligations. These compliance obligations

include, but are not limited to, the following:

• Federal and state False Claims Acts

• Anti‐Kickback Statute

• Prohibition on inducements to beneficiaries

• Health Insurance Portability and Accountability Act

• Code of Federal Regulations – specifically 42 C.F.R. § 400, 403, 411, 417, 422, 423, 1001 and

1003

• All sub‐regulatory guidance produced by the Centers for Medicare & Medicaid Services

(CMS) such as manuals, training materials and guides

• Applicable Civil Monetary Penalties and Exclusions

• Applicable Provisions of the Federal Food, Drug and Cosmetic Act

• Applicable State laws and Contractual commitments

Care N' Care is committed to maintaining a working environment that promotes ethical values,

exemplary behavior and compliance with the letter and spirit of all applicable laws. Such an

environment can exist only if Care N' Care employees, physicians and agents demonstrate the highest

ethical standards in performing their daily tasks.

Care N' Care recognizes that federal agencies responsible for enforcement of Medicare and Medicaid

laws and regulations applicable to healthcare providers require Medicare Advantage organizations to

develop and implement corporate compliance programs. Care N' Care's Compliance Program is

designed to comply with that requirement.

A successful Compliance Program contributes to this purpose in the following ways:

• Stating and re‐stating Care N' Care’s commitment to regulatory compliance and legal

conduct

• Identifying, reporting and preventing non‐compliance and illegal activities

• Providing training about internal compliance‐oriented controls to promote compliance with

State and Federal laws, rules and regulations as well as internal policies and procedures that

are used to ensure compliance,


• Providing an operational environment that allows employees to identify problems within

the organization, that directly addresses problems and that fairly disciplines non‐compliant

behavior.

The Compliance Program follows the seven core elements of an effective compliance program to ensure

that the program meets Medicare regulations as well as guidelines recommended by the Department of

Health and Human Services (DHHS) Office of Inspector General (OIG):

1. Care N' Care maintains written policies, procedures, and standards of conduct that articulate the

organization’s commitment to comply with all applicable Federal and State standards.

2. Care N' Care designates a Compliance Officer and Compliance Committee (CC) that are

accountable to senior management.

3. Care N' Care provides effective training and education to Care N’ Care employees.

4. Care N' Care maintains effective lines of communication to Care N’ Care employees.

5. Care N' Care enforces standards through well‐publicized disciplinary guidelines, including

policies and procedures for dealing with sanctioned individuals/entities.

6. Care N’ Care monitors and audits its operations.

7. Care N’ Care maintains procedures for ensuring prompt response to detected offenses and

development of corrective action initiatives relating to the Medicare Advantage contract.

III. MEDICARE COMPLIANCE PROGRAM ELEMENTS Each component of the Medicare Compliance Program and Care N’ Care’s approach to complying with

each component is discussed below.

1. Code of Conduct and Written Policies and Procedures Code of Conduct Care N’ Care has adopted a Code of Conduct, which is intended to serve as a guide to provide standards by which employees, Board members, contractors and agents shall conduct themselves to protect and promote organization‐wide integrity and to enhance Care N’ Care’s ability to achieve its mission. The Code of Conduct is designed to assist in carrying out their daily responsibilities within the appropriate legal and ethical standards. However, the Code of Conduct cannot possibly encompass all legal and ethical standards, and is not a substitute for each employee, Board member, contractor or agent’s good judgment and sense of honesty, integrity and fairness. The Code of Conduct shall be supplemented by this Compliance Plan and applicable policies and

procedures. The Code of Conduct is made available to:

The Board of Directors and Executive Leadership team at the time of appointment

and annually thereafter;

• Each employee, including officers and temporary employees, at the time of

employment and annually thereafter; and

• First tier, downstream and related entities, including all providers at the onset of

their contract and annually thereafter.

Providers and first tier, downstream and related entities are required to adopt and follow a code

of conduct particular to their own organization and that reflects their own commitment to


ethical behavior, compliance and detecting, preventing and correcting fraud, waste and abuse.

The organization ensures this requirement is met through on‐going monitoring and audits, as

appropriate, of first tier, downstream, and related entities. New Board Members, Employees,

and FDRs are required to sign an attestation acknowledging receipt and review of the Code of

Conduct within ninety (90) days of the appointment, hire, or commencement of the contract,

and annually thereafter. FDRs may also attest to following their own Code of Conduct.

Policies and Procedures All departments are required to maintain current Policies and Procedures (P&Ps) that are updated annually or when guidance or internal changes occur. All P&Ps are reviewed during internal audits to ensure the policies reflect the processes being followed on a day‐to‐day basis. These policies address all statutes, rules, contractual requirements, and program instructions applicable to their area of responsibility and are made available to employees upon hire, when there are updates to the policies, and annually thereafter. The Compliance Department, with support from other applicable functional areas, develops and implements written policies and procedures to support the compliance functions of the organization. A policy and procedure is maintained to define the process for the development, revision, review, approval, maintenance, storage and communication of policies and procedures. Policies and procedures are reviewed at least annually, and are revised during the contract year in response to changes in Medicare or other Federal requirements that relate to the Medicare Advantage program. In addition, new policies may be developed or current ones revised in response to identified risks or areas for improvement which occur in the general course of plan operations or through monitoring. Compliance policies are available to employees on the Care N’ Care shared drive. Each department is accountable for distributing approved policies and desktops to their staff and conducting appropriate employee training. Each employee is responsible for being well versed in the requirements of those portions of the particular policies and desktop procedures applicable to his or her job responsibilities. First Tier, Downstream and Related Entities (FDRs): Compliance provides FDRs with copies of the Medicare Compliance Program and compliance policies at the time of contracting and annually thereafter. FDRs are required to complete and return an attestation confirming their organization compliance with established policies and procedures and other Medicare Compliance program requirements.

2. Compliance Officer, Compliance Committee and High Level Oversight The successful implementation of the Compliance Program requires dedicated commitment and

diligent oversight throughout Care N’ Care’s operations, including, but not limited to, key roles

and responsibilities by the Board, the Compliance Officer, the Compliance Committee, the

Delegation Oversight Committee, and Senior Management.

a. Governing Body The CNC Board of Directors, as the Governing Body, is responsible for approving, implementing,

and monitoring a Compliance Program governing Care N’ Care’s operations. The Board

delegates the Compliance Program oversight and day‐to‐day compliance activities to the Chief


Executive Officer (CEO), who then delegates such oversight and activities to the Compliance

Officer. The Compliance Officer is an employee of CNC, who handles compliance oversight and

activities full‐time. The Compliance Officer, in conjunction with the Compliance Committee, are

both accountable for the oversight and reporting roles and responsibilities as set forth in this

Compliance Plan. However, the CNC Board remains accountable for ensuring the effectiveness

of the Compliance Program within CNC and monitoring the status of the Compliance Program to

ensure its efficient and successful implementation.

b. Director of Compliance (Compliance Officer) The Director of Compliance serves as the Compliance Officer and coordinates and communicates all assigned compliance activities and programs, as well as plans, implements, and monitors the day to day activities of the Compliance Program. The Compliance Officer reports directly to the CEO and the Compliance Committee on the activities and status of the Compliance Program. The Compliance Officer has authority to report matters directly to the Care N’ Care Board at any time. Furthermore, the Compliance Officer ensures that CNC meets all state and federal regulatory and contractual requirements. The Compliance Officer interacts with the Care N’ Care Board, CEO, Care N’ Care’s executive and departmental management, FDRs, legal, State and Federal representatives and others as required. In addition, the Compliance Officer supervises the Compliance Department, which includes compliance professionals with expertise and responsibilities for the following areas: Medicare Compliance, Privacy, FDR oversight, Policies and Procedures, and training on compliance activities.

c. Compliance Committee The Compliance Committee is authorized to fulfill its mission by, and is accountable directly to

the Care N' Care Board of Directors. The Compliance Officer and Compliance Committee report

directly and are accountable to the organization's chief executive. The role of the Compliance

Committee is to implement and oversee the Compliance Program and to participate in carrying

out the provisions of this Compliance Plan. The Compliance Committee meets at least on a

quarterly basis, or more frequently as necessary, to enable reasonable oversight of the

Compliance Program. The Compliance Committee is authorized to and is responsible for

investigating all reports of suspected noncompliance and Fraud, Waste and Abuse (FWA)

violations or questionable conduct under the Compliance Program. Compliance Committee

membership shall consist of the Compliance Officer, Compliance Committee Chairperson,

clinical personnel, and management staff including representatives from Operations, Quality,

Clinical Pharmacy Services, and Member Services as outlined in the Committee Charter.

The primary responsibilities of the Compliance Committee include, but are not limited to, the

following:

Maintain and update the Code of Conduct consistent with regulatory requirements and/or operational changes, subject to approval by the Care N’ Care Board;

Maintain written notes, records, correspondence, or minutes (as appropriate) of Compliance Committee meetings reflecting reports made to the Compliance Committee and the Compliance Committee’s decisions on the issues raised;


Review and monitor the effectiveness of the Compliance Program, including monitoring key performance reports and metrics, evaluating business and administrative operations, and overseeing corrective actions to ensure they are promptly and effectively implemented;

Develop standards of business conduct and Policies and Procedures to promote compliance;

Review, approve, and/or update Policies and Procedures to ensure the successful implementation and effectiveness of the Compliance Program consistent with regulatory, legal and contractual requirements;

Recommend and monitor the development of internal systems and controls to implement Care N’ Care’s standards and Policies and Procedures as part of its daily operations;

Determine the appropriate strategy and/or approach to promote compliance and detect potential violations and advise the Compliance Officer accordingly;

Develop and maintain a reporting system to solicit, evaluate, and respond to complaints and problems;

Review and address reports designating areas in which Care N’ Care is at risk for program noncompliance and potential FWA, and ensure that corrective action plans are implemented and monitored for effectiveness;

Suggest and implement appropriate actions necessary to ensure that Care N’ Care and its FDRs conduct activities and operations in compliance with the applicable law and regulations and sound business ethics; and

Provides regular and ad hoc reports on the status of compliance with recommendations to the Board.

d. Delegation Oversight Committee (DOC) The Delegation Oversight Committee (DOC) is a subcommittee of the Compliance Committee and is chaired by the (Compliance Program Manager). The DOC is responsible for overseeing the delegated activities. The DOC has final approval authority for any delegation activity as permitted by the Care N’ Care Board. Committee members include representatives from CNC’s departments as provided for in the DOC charter. In addition to the monthly scheduled meetings, the DOC may conduct ad hoc online meetings, as needed. All materials presented are approved by a quorum. A quorum is defined as one over fifty percent. DOC may approve and/or implement Corrective Action Plans (CAPs); however, recommendations for FDR sanctioning and/or de‐delegation are submitted to the Compliance Committee for final approval.

Responsibilities of the Delegation Oversight Committee include:

Annual review, revision, and approval of the Delegation Oversight Program Description, Policies and Procedures, and audit tools;

Review findings of the pre‐delegation audit and readiness assessment to evaluate a potential FDR’s ability to perform the delegated function(s);

Review and approve potential FDR entities for delegation of functions;

Ensure written agreements with each delegated FDR clearly define and describe the delegated activities, responsibilities, and reporting requirements of all Parties consistent with applicable laws, regulations and contractual obligations;


Conduct formal, ongoing evaluation and monitoring of FDR performance and compliance through review of periodic reports submitted, complaints/grievances filed, and findings of the annual on‐sight audit;

Ensure all Downstream and Related Entities are monitored in accordance with CNC oversight procedures;

Propose sanctions, subject to the Compliance Committee’s approval, if an FDR’s performance is substandard and/or violates the terms of the applicable agreement; and

Review and initiate recommendations, such as termination of delegation, to the Compliance Committee for unresolved issues of compliance.

3. Effective Training and Education Education and training are critical elements of the Compliance Program. Care N’ Care requires

that all Board Members, Employees and FDRs complete training upon appointment, hire, or

commencement of contract, as applicable, and on an annual basis thereafter. Required courses

cover the Code of Conduct, compliance obligations and relevant laws, and FWA, as applicable.

Care N’ Care utilizes web‐based training courses which are updated regularly to ensure that

employees are kept fully informed about any changes in procedures, regulations and

requirements. The Compliance Officer is responsible for coordinating compliance education and

training programs with Human Resources and ensuring that records of completion are

documented and maintained, such as sign‐in sheets, attestations, or electronic certifications, as

required by law.

Code of Conduct Care N’ Care’s training program includes the distribution of the Code of Conduct to Board

Members, Employees, and FDRs. Board Members, Employees, and FDRs are required to sign an

attestation acknowledging receipt, review, and understanding of the Code of Conduct within

ninety (90) days of their appointment, date of hire, or commencement of the contract, and

annually thereafter. Completion and attestation of such review of the Code of Conduct is a

condition of continued appointment, employment, or contract services.

Mandatory Training Courses (Compliance Oversight and FWA) Care N’ Care requires Board Members and Employees regardless of role or position to complete

mandatory compliance training courses. Mandatory courses may include, but are not limited to:

the fundamentals of the Compliance Program; FWA training; HIPAA privacy and security

requirements; ethics; and a high level overview of the Medicare Program. Care N’ Care’s training

courses covers Care N’ Care’s commitment to compliance with Federal and State laws and

regulations, contractual obligations, internal policies and ethics. Elements of the Compliance

Program are highlighted, including, but not limited to, an emphasis on the requirement to and

different means to report suspected or actual noncompliance, violations, and/or FWA issues,

along with Care N’ Care’s policy on confidentiality, anonymity, and non‐retaliation for such

reporting. Employees must complete the required compliance training courses with 90 days of

hire, and annually thereafter. Adherence to the Compliance Program requirements, including

training requirements, shall be a condition of continued employment. Board Members are

required to complete the required compliance training courses within ninety (90) days of

appointment, and annually thereafter.


Employees have access via internal shared drives to Care N’ Care’s Policies and Procedures

governing the Compliance Program and pertinent to their respective roles and responsibilities.

Employees may receive additional compliance training as is reasonable and necessary based on

changes in job descriptions/duties, promotions, and/or the scope of their job functions.

Specialized Training Specialized training may be developed, delivered, and required based on an employee’s job function and training needs as identified by Compliance and Management to address operational and procedure requirements or education on regulatory and sub‐regulatory requirements or a combination of both. Regulatory Guidance Distribution The Compliance department is responsible for tracking, analyzing, and conveying new laws, regulations, and policies specific to the Medicare Program. Compliance summarizes all regulatory guidance memos received and facilitates timely distribution to impacted business areas. New regulatory guidance containing significant operational business impact may be discussed in operations or adhoc meetings to explain the new regulatory guidance issued, the business impact and implementation action/timeline required, and training needs. Training and Education for FDRs All Care N' Care FDRs and their employees who have involvement in the administration or delivery of Parts C and D benefits are required to perform their contracted responsibilities in compliance with Care N' Care policy, CMS regulatory requirements, and all applicable laws and regulations. Care N' Care requires all FDRs to provide FWA training compliant with CMS requirements and requires its employees to take training developed by CMS and available through CMS Medicare Learning Network (MLN). FDRs and their employees must receive general compliance training within 90 days of contracting/hire and annually thereafter as a condition of employment. FDRs will have three (3) options for ensuring FDRs have satisfied the general compliance training requirement: (1) FDRs can complete the general compliance and/or FWA training modules located on the CMS

MLN at http://www.cms.gov/Outreach‐and‐Education/Medicare‐Learning‐Network‐

MLN/MLNProducts/WebBasedTraining.html Once an individual completes the training, the

system will generate a certificate of completion. The MLN certificate of completion must be

accepted by Sponsors.

(2) Sponsors and FDRs can incorporate the content of the CMS standardized training modules

from the CMS website into their organizations’ existing compliance training materials/systems.

(3) Sponsors and FDRs can incorporate the content of the CMS training modules into written

documents for providers (e.g. Provider Guides, Participation Manuals, Business Associate

Agreements, etc.).

FDRs that have met FWA certifications through enrollment into the Medicare program or

accreditation as a durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS)

supplier are deemed to have met the FWA training and education requirement. However,

deemed providers are not exempt from the general compliance training requirement.


Care N' Care must establish effective mechanisms to ensure that FDRs fulfill the compliance

training requirements (e.g. incorporate the requirement into contracts with FDRs, collect

attestations from FDRs, training material coupled with monitoring and auditing of a sample of

FDRs to validate training requirements were fulfilled, etc.). The Code of Conduct and Policies

and Procedures providing an overview of the Care N’ Care Compliance Program, are made

available to FDRs upon commencement of the FDR contract. FDRs are required to disseminate

copies of the Code of Conduct and Policies and Procedures to their employees, agents, and/or

Downstream Entities or use their own equivalent Code of Conduct. All FDRs will be required to

complete the FDR Compliance Attestation upon contracting and annually thereafter confirming

the organization has completed the appropriate general compliance and FWA training. This

attestation is distributed to all FDRs and also posted on the CNC website under resources for

FDRs.

4. Effective Lines of Communication Care N’ Care employs multiple mechanisms to ensure effective lines of communication between the Compliance Officer and all levels of employees, contractors, temporary employees, providers, FDRs, as well as with individuals serving on the board. These established mechanisms allow for providing guidance on CMS requirements and Care N' Care's compliance program to all employees, temporary staff, vendors, contractors and providers, the reporting of improper conduct, suspected non‐compliance as well as allegations of fraud, waste and abuse or any other impropriety. The organization expects reporting of issues to be able to occur without the involvement of supervisors or other personnel and the fear of potential retaliation or retribution. These lines of communication will be accessible to all and allow for anonymous and confidential

good faith reporting of potential compliance issues as they are identified. Information on how

to report issues or contact the Compliance Officer is posted on the ADP Portal, included in the

Code of Conduct, included on the CNC website, posted on signs in break rooms and common

areas.

Note: Appropriate training and education, and an effective internal incident reporting process

are key components of communication within the organization. These areas are each addressed

fully in separate Policies and Procedures.

The Compliance Officer will maintain open lines of communication with the CEO and Board of

Directors regarding activities of the Compliance Committee and Compliance Department. This

includes, but is not necessarily limited to, the following:

• Compliance Committee Minutes

• Compliance Program and Compliance Department Work Plan

• Audit Results

• Compliance or Ethics Issues

The Compliance Officer will keep the Committee informed and seek its guidance on compliance

or ethics issues that represent potential risk to the organization.


The Compliance Officer and Compliance Committee will maintain open lines of communication

with Care N' Care management staff. This includes, but is not necessarily limited to, the

following:

• The Compliance Committee is comprised of management staff responsible for the main

departments and functions within the organization. The structure of the Committee

therefore facilitates communication with management.

• All management staff shall receive a copy of the Compliance Program, including all

significant revisions. Managers are responsible for understanding the Compliance

Program and distributing a copy to all employees.

• The Compliance Officer serves as the organization’s main point of contact with

regulatory authorities. The Compliance Officer shall route incoming program

information and regulatory guidance to the appropriate individual(s).

• The Compliance Department tracks all communications from CMS and communicates all

sub‐regulatory guidance produced by CMS and HHS such as manuals, training materials,

HPMS memos, and guides throughout the organization as appropriate.

The Compliance Officer and Compliance Committee will maintain open lines of communication

with employees at all levels of the organization. This includes, but is not necessarily limited to,

the following:

• All employees shall receive a copy of the Compliance Program, including the Code of

Conduct, at the time of employment and upon revision thereafter. The Code of Conduct

will be made available to delegated (first‐tier, downstream, and related) entities.

Employees shall be required to certify their receipt and understanding and return a

signed Acknowledgment to Human Resources at the time of hire.

• As noted above, the Compliance Committee is comprised of management staff with

responsibility for key departments or functions within the organization. Routine or

informal communication, particularly in situations where documentation is not required,

may therefore be achieved through normal organizational channels.

• The annual Compliance Work Plan shall include a basic plan for ongoing employee

communication. Examples of possible methods include newsletters, bulletins, emails,

meetings, interviews, etc. (Note: This requirement may be satisfied in conjunction with

requirements for employee training and education).

• As noted above, employee training and incident reporting are key aspects of

organizational communication. These components are addressed in separate Policies

and Procedures.

The Compliance Officer and Compliance committee will develop and utilize mechanisms for

communicating with contracted entities, including health care providers, management service

organizations, and brokers. Such communication will typically occur in collaboration with Care N'

Care departments or committees having established methods of contractor communication.

Examples include Contracting, Marketing, UM/QM Delegations Oversight, and Claims Oversight.

Care N' Care will maintain open communication with regulatory authorities.


• The Compliance Officer is Care N' Care’s primary point of contact with regulatory

authorities. Normal, ongoing communication with regulators will be routed through the

Compliance Officer.

• Individual Departments may have such direct communication with regulatory

authorities as is appropriate to fulfillment of their responsibilities. For example,

Enrollment may be required to contact CMS regarding retro‐active transactions; IT may

be required to contact the CMS Help Desk regarding transmission of data; etc.

• For elevated issues such as investigation, litigation, interaction with enforcement

authorities, or any situation that poses similar risk to the organization, communication

will be governed by, as appropriate:

Company policy, if applicable policy exists

Direction from senior management

Advice of outside counsel

Care N' Care will maintain open communication with our members and educate our members

on identifying and reporting noncompliance and FWA. Methods of communication with our

members include newsletters, bulletins, emails, meetings, information published on Care N'

Care’s website, etc.

Compliance Hotline All employees, supervisors, managers, and administrators are required under the compliance program to report, anonymously if desired, known or suspected violations of an applicable law or regulation, or the Code of Conduct, without fear of retaliation. Care N’ Care maintains an easily accessible Compliance Hotline, available 24 hours a day, 7 days a week, in which CNC may receive anonymous issues on a confidential basis. The toll free Compliance Hotline is 1‐844‐760‐5838. The Compliance Hotline allows for anonymous reporting online via the ComplianceLine website at www.mycompliancereport.com. Report Directly to the Compliance Officer The Compliance Officer is available to receive reports of suspected or actual compliance

violations or FWA issues on a confidential basis (to the extent permitted by applicable law or

circumstances) from Board Members, Employees, FDRs and Members. The Compliance Officer

may be contacted by telephone, written correspondence, email, or by a face‐to‐face

appointment. FDRs are generally contractually obligated to report suspected fraud and abuse to

CNC pursuant to regulatory and contractual requirements.

Report Directly to a Supervisor or Manager Care N’ Care employees are encouraged to contact their immediate supervisor or manager when non‐compliant activity is suspected or observed. A report should be made immediately upon suspecting or identifying the potential or suspected non‐compliance or violation. The supervisor or manager will promptly escalate the report to the Compliance Officer for further investigation and reporting to the Compliance Committee (as applicable). If an Employee is concerned that his or her supervisor or manager did not adequately address his or her report or complaint, the employee may go directly to the Compliance Officer or the CEO. Report Directly to the Compliance Department


Reports may be made directly to Care N’ Care’s Compliance Department via mail or email for

confidential reporting. Emails can be sent to [email protected]. Written

correspondence can be set to: CNC Compliance Department at 1701 River Run, Suite 402, Fort

Worth, TX 76107.

Confidentiality and Non‐Retaliation Every effort will be made to keep reports confidential to the extent permitted by applicable law and circumstances, but there may be some instances where the identity of the individual making the report will have to be disclosed. As a result, Care N’ Care has implemented and enforces a non‐retaliation policy to protect individuals who report suspected or actual non‐compliance or FWA issues in good faith. This non‐retaliation policy extends to reports received from FDRs and members.

Care N’ Care takes violations of its non‐retaliation policy seriously, and the Compliance Officer will review and enforce disciplinary and/or other corrective action plans for violations, as appropriate, with the approval of the Compliance Committee.

5. Well Publicized Disciplinary Standards Care N' Care employees are expected to comply with governing laws and regulations, as well as

provisions of the Care N' Care Compliance Program, Code of Conduct, and any other applicable

company policies. These policies are made available to each employee at the new employee

orientation and annually thereafter through various forms, including the ADP portal and the

company internal shared drive. Failure to do so may result in the use of disciplinary action to

correct such situations and, as appropriate, motivate employees to participate directly in the

resolution.

Disciplinary action shall be administered on a fair and equitable basis, appropriate to the

seriousness of the violation and consistent with Care N' Care's personnel policies and

procedures. Depending on the severity of the violation, progressive steps in the disciplinary

action process may be omitted if appropriate in order that immediate corrective measures,

including termination, can be taken.

The actions listed below are guidelines only. Nothing in this Policy or any other Compliance

policies and procedures should be construed as preventing, limiting or delaying Care N' Care

from taking other appropriate disciplinary action, including immediate termination, in any

circumstances where Care N' Care, in its sole discretion, deems such action appropriate.

Nothing in this policy or any other Compliance Policies and Procedures is intended to alter the

"at‐will" nature of the employment relationship between Care N' Care and its employees as set

forth in Care N' Care’s employment policies, procedures and manuals.

The intent for the disciplinary process is to improve performance and eliminate misconduct or

rule violations. For the most effective use of the disciplinary action, it is necessary that all

employees, supervisors and managers in particular, be familiar with applicable laws and

regulations, Care N' Care policies and department requirements so that infractions are quickly

and accurately identified. A supervisor must be willing to discuss with employees situations or

events which may, if not corrected, eventually lead to on‐the‐job problems.


Examples of the types of infraction or violation for which disciplinary or corrective action will be

taken include:

• Noncompliance with laws, regulations, policies or procedures;

• Encouraging or assisting another to engage in noncompliance;

• Failure to report noncompliance;

• Failure to detect noncompliance by an individual who should have detected such

noncompliance;

• Knowingly submitting a false, malicious or frivolous report of noncompliance against

another employee.

• Failure to satisfy the education and training requirements of the Compliance

Program;

• Failure of a supervisor or manager to assure that their subordinates understand the

requirements of the Program; and

• Retaliation against an employee, agent, or contractor who reports in good faith a

concern relating to possible noncompliance.

This list is designed to illustrate common categories or areas of compliance violations. It is

intended to aid employees in identifying specific conduct that may violate applicable laws or

company policy. The list is not exhaustive of all types of conduct that may constitute grounds for

disciplinary action, including termination of employment.

No employee shall be disciplined solely because s/he reported what was reasonably believed to

be an act of wrongdoing or a violation of the Compliance Program.

A thorough investigation must be conducted before disciplinary action is administered.

Depending on the situation, the investigation may be conducted by the supervisor, manager,

Compliance Officer, or outside entity.

If management determines after a thorough investigation that action beyond counseling is

warranted, it is the duty of the appropriate supervisor or manager to initiate disciplinary action.

Depending on the situation, the supervisor or manager may need to discuss the action with the

next level of management, the Compliance Officer, Legal Counsel, or Human Resources to

ensure appropriate applicability, documentation, and procedure.

Management must consider the nature and seriousness of the infraction, all relevant facts and

information, and any mitigating or aggravating circumstances when formulating disciplinary

action. All guidelines must be applied consistently and in a non‐discriminatory manner, and

thorough documentation is essential. Senior management, the Compliance Officer, Human

Resources, or legal counsel should be consulted as appropriate when evaluating the

circumstances affecting disciplinary action.

As a general rule, disciplinary action shall be more severe for conduct that is a knowing,

intentional, willful, or reckless violation of the law or of Care N' Care standards or policies.

Intentional or reckless noncompliance is to be punishable with “significant sanctions,” which can

range from oral warnings to suspension or termination as appropriate. Where the guidelines

below recommend termination, a lesser disciplinary action may be imposed, at Care N' Care’s


sole discretion, after consideration of all relevant facts, including, without limitation, mitigating

and aggravating circumstances.

Circumstances that shall be considered to be mitigating can include:

• The employee reported the violation promptly

• The employee cooperated with Care N' Care in the investigation

• The employee accepted responsibility for the violation

Admission of wrongdoing does not guarantee protection from disciplinary or corrective action.

The weight to be given to the admission shall depend on all the facts known to Care N' Care at

the time the decision concerning disciplinary or corrective action is made. Such facts include

whether the individual's conduct was known or its discovery was imminent prior to the

admission, and whether the admission was complete and truthful.

Circumstances that shall be considered to be aggravating include, but are not necessarily limited

to:

• The existence of a prior record of discipline and the nature and extent of that

record;

• The current misconduct found or acknowledged by the employee evidences

multiple acts of wrongdoing or demonstrates a pattern of misconduct;

• The employee’s misconduct was surrounded by or followed by bad faith,

dishonesty, concealment, overreaching or other violations of Care N' Care’s policies

and procedures;

• The employee’s misconduct harmed significantly Care N' Care;

• The employee demonstrated indifference toward rectification of or atonement for

the consequences of his or her misconduct; and

• The employee displayed a lack of candor or cooperation with Care N' Care during

the investigation or disciplinary process.

Employment of and Contracting with Ineligible Persons Care N’ Care prohibits hiring or entering into contracts with individuals and/or entities who have been recently convicted of a criminal offense related to health care or who are listed as debarred, excluded or otherwise ineligible for participation in Federal health programs. Care N’ Care shall utilize the DHHS Office of the Inspector General (OIG) List of Excluded Individuals and Entities (LEIE list) and the System for Award Management Exclusion List (formerly the GSA Excluded Parties Lists System) prior to the hiring or contracting of any new employee, temporary employee, volunteer, consultant, board member, or FDR, and monthly thereafter, to ensure that none of these persons or entities are excluded or become excluded from participation in federal programs.

6. Effective System for Routine Monitoring and Identification of Compliance Risks Care N’ Care will develop and implement appropriate monitoring and auditing processes to

evaluate compliance with applicable laws, regulations and policies, and rapidly detect potential

issues, problems or violations. Care N' Care will provide proactive, targeted efforts to prevent,


detect, and respond to fraud, waste, and abuse issues. Monitoring and auditing of first tier,

downstream, and related entities will be conducted and may result in programmatic actions.

The Compliance Committee is responsible for oversight of Care N' Care’s monitoring and

auditing efforts and will receive regular reports regarding performance, updates to systems,

staffing, etc.

Risk Assessment and Monitoring The Compliance department performs an annual risk assessment that includes an assessment of the various ways misconduct, noncompliance, fraud, waste and abuse can occur or has occurred by and against Care N’ Care. The risk assessment also considers Care N’ Care’s ability to deter or remediate potential noncompliance against existing control activities. The results of the risk assessment are reported to Board of Directors and the Compliance Committee, along with appropriate recommendations for additional education, delegate entity oversight, system edits or enhanced auditing and monitoring efforts. Monitoring and auditing are critical elements in the Compliance Program. It allows Care N’ Care to identify areas that require corrective action in order to achieve compliance with specific Medicare regulatory requirements. This process of self‐identification and corrective action, along with monitoring to ensure that such actions are effective, are crucial to the success of this Program. The Compliance department, or its designee(s), conducts regular auditing and monitoring to ensure adherence to Medicare regulations, Centers for Medicare and Medicaid Services (CMS) guidance, contractual provisions, applicable Federal and State laws, as well as internal policies and procedures. An audit plan is developed annually based upon a formal risk assessment and sets forth the audits to be performed, audit schedules, and methodology. The Compliance department conducts corrective actions and follow up activities which may include reporting of such findings to CMS. The Compliance Officer also provides updates on monitoring and auditing to the Compliance Committee, Senior Leadership and the Board of Directors. Auditing The Compliance Department will conduct or facilitate operational and first‐tier audits sufficient to evaluate the organizations compliance with applicable laws, regulations and company policies. All operational and first‐tier audits will be appropriately planned and structured according to established methodology, using an accepted tools and standards (CMS Program Audit Protocols and Medicare Part C and D program manuals). The Compliance Officer will arrange focused audits of specific departments, first tier entities, or areas as necessary. Focused audits may result from risk assessment data, departmental monitoring, regulatory concerns (e.g., OIG Work Plan), members, complaints filed with CMS, employee incident reporting, or any other credible indicators. The Compliance Officer will periodically schedule routine audits to do spot checks of Care N' Care departments or first tier entities, as necessary and at a frequency to be determined by the Compliance Officer and Compliance Committee. Care N' Care’s contractual agreements with first tier entities provide for routine and random auditing. Where FDRs perform their own audits, Care N' Care will request a copy of the FDR’s


audit work plan and request the audit results. When corrective action is needed, Care N' Care will ensure that corrective actions are taken by the entity. Reports that will be reviewed as part of FDR monitoring and auditing include, but are not limited to:

• Accuracy of claims processing;

• Appeal/Grievance reports;

• Payment reports;

• Drug utilization reports;

• Provider utilization reports;

• Prescribing and referral patterns by physician reports; and

• Geographic zip reports

Any audit result indicative of a potential issue, problem or noncompliance must be adequately

addressed. Based on the scope and severity of the issue, the Compliance Officer and

Department Manager will determine appropriate next steps.

Confirmed problems or cases of noncompliance must be remediated with appropriate corrective

action.

The Compliance Officer, with input and approval of the Compliance Committee, will develop and

publish an Annual Audit Plan. The Audit Plan is subject to review and revision throughout the

year as new indicators for focused audit may emerge. The Audit Plan includes:

• Audits to be performed;

• Audit schedules, including start and end dates;

• Announced and/or unannounced audits;

• Audit methodology;

• Necessary resources;

• Types of audit (desk or onsite);

• Number of FDRs that will be audited and how the entities will be identified for auditing;

• Person(s) responsible;

• Final audit report due date; and

• Follow up activities from findings

Audit findings that represent significant risk to the organization will be reported immediately to

the CEO and the Board of Directors.

The Compliance Officer will prepare a quarterly report of the status of the Audit Plan. The report

should summarize:

• Audit objectives

• Scope and methodology

• Results of current audits, including any detected issues or non‐compliance and resulting

corrective action

• Recommendations


Corrective Actions Corrective action initiatives as identified through routine monitoring and internal audit activities are monitored and managed by the Compliance Officer. Corrective actions are designed to correct the underlying problem that results in Medicare Advantage program violations and to prevent future violations. Corrective action plans are implemented for both internal initiatives, as well as when necessary,

for actions of a first tier, downstream, or related entities. Corrective action plans are

documented in a format determined by the Compliance Officer and include specific

implementation tasks, the names of individuals accountable for implementation and required

time frames for remediation activities.

Corrective action initiatives may include actions such as the repayment of identified

overpayments and making reports to government authorities, including CMS or its designees

(e.g., MEDIC), and law enforcement, as necessary or required. The Compliance Officer will

report corrective actions to the Compliance Committee, the senior leadership team and the

board, on a monthly basis.

Corrective Actions and Additional Monitoring and Auditing The Compliance Officer shall submit regular reports of all monitoring, audit, and corrective action activities to the Compliance Committee. In instances where non‐compliance is identified, a corrective action plan shall be developed by the FDR and reviewed and approved by the Compliance Officer, or his or her designee. Supplemental and focused audits of FDRs, as well as additional reporting, may be required until compliance is achieved. At any time, Care N’ Care may implement sanctions or require remediation by an FDR for failure to fulfill contractual obligations including development and implementation of a corrective action plan. Failure to cooperate with Care N’ Care in any manner may result in termination of the delegation agreement, in a manner authorized under the terms of the agreement.

7. Procedures and Systems for Prompt Response to Compliance Issues Care N’ Care recognizes that violations of its Compliance Program, violations of applicable

federal or state law, or other types of misconduct threaten its status as a reliable, honest, and

trustworthy organization capable of participating in federal and private programs.

Consequently, upon report or reasonable indication of suspected noncompliance, the

Compliance Officer along with management will initiate prompt steps to investigate the conduct

in question to determine whether a material violation of applicable law or the requirements of

the compliance program has occurred, and if so, take steps to correct the problem.

Care N' Care will establish and implement procedures and a system for promptly responding to

compliance issues as they are raised, investigating potential compliance problems as identified

in the course of self‐evaluations and audits, correcting such problems promptly and thoroughly

to reduce the potential for recurrence and ensure ongoing compliance with CMS requirements.

• If Care N' Care discovers evidence of misconduct related to the payment or delivery of

prescription drug items or services under the contract, Care N' Care will conduct a

timely reasonable inquiry into that conduct.


• Care N' Care will conduct appropriate corrective actions (for example, repayment of

overpayments and disciplinary actions against responsible individuals) in response to

the potential violation referenced above.

• Care N' Care has procedures to voluntarily self‐report potential fraud and misconduct

related to the program to CMS, or its designee.

As appropriate, such steps to investigate misconduct will include the following:

All reports of any alleged misconduct that may rise to the level of fraud and abuse will

immediately be communicated to the Compliance Officer. Reporting may be anonymous.

Reports may be made without fear of retaliation.

Such reports will be investigated as soon as reasonably possible, as but no later than two weeks

following the receipt of the report, information, or complaint regarding the potential

noncompliance. The Compliance Officer will begin the investigation and obtain the support and

direction of Compliance Committee/management as necessary and appropriate.

Depending upon the nature of the alleged violations, an internal investigation will include

interviews and a review of relevant documents.

For violations that are severe upon initial review, the Compliance Officer will engage outside

counsel, auditors, or other experts to assist in the investigation.

All employees, vendors and FDRs are required to cooperate fully in all compliance investigations.

Failure to cooperate in an investigation may lead to disciplinary action. Intimidation or

retaliation against any employee who cooperates in a compliance investigation is strictly

prohibited and will lead to disciplinary action up to and including termination.

Records of the investigation will contain documentation of the alleged violation, a description of

the investigative process, copies of interview notes and key documents, a log of the witnesses

interviewed and the documents reviewed the results of the investigation, e.g., any disciplinary

action taken, and the corrective action implemented.

The Compliance Officer will take appropriate steps to secure or prevent the destruction of

documents or other evidence relevant to the investigation for a period of ten (10) years.

If an investigation of an alleged violation is undertaken and the Compliance Officer believes the

integrity of the investigation may be at stake because of the presence of employees under

investigation, those subjects will be removed from their current work activity until the

investigation is completed.

A corrective action plan will be created if any fraud and abuse or material violation of this

program is found to have occurred.

Any violations, which are found to have occurred, will be reported to the suspected individuals.

Any discipline that the Compliance Officer, and when appropriate the compliance committee

and/or the board, determines is necessary will be implemented.


If any overpayment or underpayment was involved, a report will be sent to the appropriate

personnel/agency pursuant to government and other applicable guidelines.

When appropriate and in consultation with legal counsel, an immediate referral should be made

to criminal and/or civil law enforcement authorities.

Response to Fraud Alerts CMS issues alerts to Part D sponsors concerning fraud schemes identified by law enforcement officials. Typically, these alerts describe alleged activities involving pharmacies practicing drug diversion or prescribers participating in illegal remuneration schemes. Care N’ Care may take action (including denying or reversing claims) in instances where Care N’ Care’s own analysis of its claims activity indicates that fraud may be occurring. Care N’ Care’s decision to deny or reverse claims shall be made on a claim‐specific basis. When a Fraud Alert is received, Care N’ Care is also obligated to review its past paid claims from entities identified in a fraud alert. With the issuance of a fraud alert, CMS places Care N’ Care on notice (see 42 CFR 423.505(k)(3)) that claims involving the identified party needs to be reviewed. To meet the “best knowledge, information, and belief” standard of certification, Care N’ Care will work with delegates and shall make its best efforts to identify claims that may be or may have been part of an alleged fraud scheme and remove them from the sets of prescription

drug event data submissions.

8. Fraud, Waste and Abuse Care N’ Care is strongly committed to the detection and prevention of FWA at the plan level, as

well as within its first‐tier, downstream or related entities. Care N' Care maintains ultimate

responsibility for adhering to and otherwise fully complying with all applicable federal and state

statutory, regulatory, and other requirements related to the delivery of the Medicare benefits,

including the compliance plan requirements found at 42 CFR §422.503(b)(4)(vi); 42 C.F.R. §

423.504(b)(4)(vi)(H). Care N' Care will work in an ongoing manner with the appropriate entities

to detect and prevent FWA as is required by the Medicare Managed Care Manual, Chapter 21 –

Compliance Program Guidelines and Prescription Drug Benefit Manual, Ch. 9 – Compliance

Program Guidelines.

Examples of fraud include, but are not limited to:

Billing for services that were not rendered;

Misrepresenting as medically necessary non‐covered or screening services by reporting them as covered procedure or revenue codes;

Signing blank records or certification forms, or falsifying information on records or certification forms for the sole purpose of obtaining payment;

Up‐coding or consistently using procedure/revenue codes that describe more extensive services than those actually performed;

Using an incorrect or invalid provider number in order to be paid or to be paid at a higher rate of reimbursement;

Selling or sharing Medicare health insurance identification numbers so that false claims can be filed;

Falsifying information on applications, medical records, billing statements, cost reports or on any documents filed with the government.


Examples of waste and abuse include, but are not limited to:

Billing for services or items in excess of those needed by the patient;

Unbundling services that are to be bundled or double billing in order to receive increased payment

Adding inappropriate or incorrect information to cost reports;

Collecting in excess of the deductible or co‐insurance amounts;

Requiring a deposit or other payment from patients as a condition for admission, continued care or other provision of service;

Examples of member fraud include, but are not limited to:

Misrepresenting or concealing facts that would cause CNC to provide coverage to persons who are otherwise not eligible.

The three types of conduct that are generally prohibited by health care fraud laws are false claims, kickbacks and self‐referrals. The consequences for violating these laws can include, in addition to imprisonment and fines, civil monetary penalties, loss of licensure, loss of Staff privileges and exclusion from participation in federal health care programs.

Furthermore, self‐reporting plays a critical role in reducing FWA and maintaining program

integrity. Therefore, Care N' Care should self‐report potential fraud discovered at the plan, first‐

tier entity, downstream entity, or related entity levels to the appropriate entities. In doing so,

Care N' Care may receive the benefits of voluntary self‐reporting found in the False Claims Act

and federal sentencing guidelines. Self‐reporting offers plans the opportunity to minimize the

potential cost and disruption of a full scale audit and investigation, to negotiate a fair monetary

settlement, and to potentially avoid an OIG permissive exclusion preventing Care N' Care from

doing business with the Federal health care programs. CMS strongly encourages plans to

immediately self‐disclose marketing violations to CMS and proactively report any corrective

action measures that they have taken to respond to any violations. Both the DOJ and the OIG

also have longstanding policies favoring self‐disclosure. The Provider Self‐Disclosure Protocol for

the DHHS OIG can be found at 63 Fed. Reg. 58,399‐403 (1998). An overview of Care N’ Care’s

Fraud, Waste, and Abuse program can be found in the Fraud, Waste and Abuse plan.

LAW & REGULATIONS RELATED TO FWA:

a. 42 CFR § 423.504(b)(4)(vi)(H)

b. 42 CFR §422.503(b)(4)(vi)

c. Medicare Managed Care Manual, Chapter 21 – Compliance Program Guidelines and

Prescription Drug Benefit Manual, Ch. 9 – Compliance Program Guidelines

d. Anti‐Kickback Regulations – 42 U.S.C. § 1320a‐7b (b)

e. Stark Law Amendments – 42 U.S.C. § 1395nn

f. Mail and Wire Fraud – 18 U.S.C. § 1341

g. False Claims Act – 31 U.S.C. § 3729‐33

h. HIPAA/HITECH – 45 CFR, Part 164

i. Provider Self‐Disclosure Protocol – 63 Fed. Reg. 58,399‐403 (1998)


Notable changes (with page number)

This overview has been provided to list the key points of notable changes and the sections in which they

are detailed.

Compliance Plan & Program Policies

Section Changes

Administrative Updated expected approval dates

Compliance Program Policy and Procedures

Included language regarding location and availability of compliance and departmental policy and procedures on the shared drive (rev. page 6)

Compliance Program Policy and Procedures

Included language regarding compliance providing all FDRs with compliance program and policy and procedures annually, to include required attestation (rev. page 6)

Training & Education Added link to CMS Medicare Learning Network for required training (rev page 10)

Training & Education Added language regarding specialized training (rev page 10)

Training & Education Added language regarding regulatory guidance distribution (rev page 10)

Risk Assessment Removed reference to FDR Risk Assessment included broad overview of the risk assessment process (rev. page 17)

Compliance Program Updated to Attachment A to include new policy revisions


Appendix A

Compliance Program

Policies & Procedures

The following is a subset of the Care N’ Care Compliance Policies and Procedures a complete listing of

policies are located on the Compliance shared drive.

Policy and Procedure Name: Compliance Program Policy

Policy Number: COM-001.1

Functional Business Owner’s Name: Nakia Smith, Director of Compliance

Effective Date: 10/1/2015

Review Date: 12/15/2017

Approver’s Name: Wendy Karsten, Chief Executive Officer

Approval Date: 10/22/2015

Page 1 of 4

PURPOSE:

Care N’ Care Insurance Company, Inc. (“Care N’ Care”) hereafter known as the “Company”, understands that participation in federal programs is a tremendous responsibility. As such, the Company is committed to conducting business ethically, with integrity, and in compliance with applicable state and federal laws and regulations. The Company has designed and implemented a formal compliance program (Program). The Program’s purpose is to integrate business conduct, compliance and ethics, standards into the daily business activities of the Company through communication, education and training, monitoring, investigation, detection, and reporting of perceived, potential, or actual violations including, fraud, waste, and abuse (FWA). This policy serves to formally establish the guiding principles for the Program’s overall effectiveness and accountability and serves as the link to all other Company policies and procedures related to matters of ethics, business conduct, and compliance with legal, regulatory and sub-regulatory requirements. SCOPE This policy applies to all members of the board of directors, employees, first tier, downstream and related entities (FDRs), contractors, and agents of Care N’ Care Insurance Company, Inc. DEFINITIONS: Abuse: Actions that may, directly or indirectly, result in unnecessary costs to the Medicare Program. Abuse involves payment for items or services when there is no legal entitlement to that payment and the provider has not knowingly and/or intentionally misrepresented facts to obtain payment. Abuse cannot be differentiated categorically from fraud, because the distinction between fraud and abuse depends on specific facts and circumstances, intent and prior knowledge, and available evidence among other factors. First-Tier Entity: Any party that enters into a written agreement, acceptable to CMS, with a Medicare Advantage organization, Part D plan sponsor, or contract applicant (hereinafter referred to as a “Sponsor”) to provide administrative services or health care services for a Medicare eligible individual under the Medicare Advantage or Part D programs. Downstream Entity: Any party that enters into a written arrangement, acceptable to CMS, below the level of the arrangement between a Sponsor and a first-tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services. Examples include, but are not limited to, mail order pharmacies, firms providing agent/broker services, agents, brokers, marketing firms, and call center firms. Related Entity: Any entity that is related to a Sponsor by common ownership or control and (1) performs some of the Sponsor’s management functions under contract or delegation; (2) furnishes services to Medicare enrollees under an oral or written agreement; or (3) leases real property or sells materials to the Sponsor at a cost of more than $2,500 during a contract period. (See 42 C.F.R. §423.501).

Care N’ Care, COM-001.1, Compliance Program Policy ________________________________________________________________________________

Page 2 of 4

Fraud: Knowingly and willfully executing, or attempting to execute, a scheme or artifice to defraud any health care benefit program or to obtain (by means of false or fraudulent pretenses, representations, or promises) any of the money or property owned by, or under the custody or control of, any health care benefit program. Waste: Overutilization of services, or other practices that, directly or indirectly, result in unnecessary costs to the Medicare program. Waste is generally notconsidered to be caused by criminally negligent actions but rather the misuse of resources. RESPONSIBILITIES

The Board of Directors is knowledgeable and responsible for oversight of the Company’s Program and conducts a review of the Company’s compliance program annually to:

Evaluate the efficiency and effectiveness of the program; Evaluate employee, officer, and director compliance with the program and the company’s

systems to monitor compliance with the program; Recommend to the Compliance Officer (CO) improvements to the program as necessary; Monitor the findings of any audits by regulatory agencies and the corrective actions taken by the

Company to address the findings; Monitor procedures for handling complaints regarding any violations of the program and for

confidential, anonymous submission of concerns by employees, including those regarding accounting and auditing matters;

Receive suggestions from directors and officers for improvement of the compliance program; Meet at least four times annually with the CO to discuss the status of the compliance program,

including employee training and education, reports of suspected violations of the program, reports of FWA, and investigations of such reports, and discipline or other actions resulting from such investigations, and confirm that remediation has occurred;

Meet, at least four times annually, with the CO to review the status of the Company’s compliance with Medicare requirements and periodically to review compliance with other federal and status regulatory requirements;

Approve the appointment and the replacement of the CO; Provide input to the annual evaluation of the performance of the CO; and

In addition to the Board of Directors, the Company has an internal Compliance Committee the responsibilities of which are to:

Oversee the Program’s implementation and operation, including the development of strategies to promote compliance and detect any potential violation, the implementation of corrective and preventive action, when required, and the use of internal controls designed to ensure compliance in daily operations;

Foster and promote a culture that encourages ethical conduct and a commitment to compliance with the Code of Conduct and laws, regulations, policies and procedures;

Review reports from the CO, and other compliance personnel, including dashboards, self-assessments, scorecards and similar tools that would reveal compliance issues;

Ensure that the Program has up-to-date compliance policies and procedures; Ensure that the Company has a system for workforce to ask compliance questions and report

potential instances of non-compliance and potential FWA confidentially or anonymously without fear of retaliation;

Ensure that the Company has a method for employees, beneficiaries and others to report potential FWA;

Review and address reports of monitoring and auditing of areas in which the Company is at risk for noncompliance or potential FWA and ensure that corrective action plans are implemented and monitored for effectiveness;


Page 3 of 4

Serve as a conduit for elevating operational compliance issues, risks, barriers, and opportunities that may impact the business;

Monitor the status of issues, critical incident reports, audit findings, and potential process issues; Identify resource and funding needs for elevation to appropriate senior leadership for resolution;

and Coordinate and share information from meetings with functional areas and key governance

committees to facilitate the timely and accurate reporting to senior leadership and to the Boards of Directors.

The CO, as the facilitator and the focal point for the day-to-day operation of the Company’s compliance program, is responsible for:

Implementing the Compliance Program, including defining the program structure, educational

requirements, reporting and complaint mechanisms, response and correction procedures, and compliance expectations of all personnel and FDRs.

Submitting to the CEO and senior management and/or ensuring that senior management receives reports of risk areas facing the Company, strategies being implemented to address them and the results of those strategies, and reports on Medicare program noncompliance and FWA for issues identified, investigated and resolved; and

Advising the CEO of all governmental compliance enforcement activity from Notices of Non-compliance to formal enforcement actions.

Create and coordinate (or delegate) educational training programs to ensure that officers, directors, managers, employees, FDRs, and other individuals working in the government programs are knowledgeable about the Compliance Program, written Code of Conduct, compliance policies and procedures, and all applicable statutory and regulatory requirements.

Coordinate personnel issues with Human Resources to ensure that covered persons are checked against the OIG exclusion lists and GSA debarment lists monthly. CNC will require FDRs to provide signed attestation/certification of their compliance with this requirement.

Oversee the development and monitoring of corrective action plans.

The Compliance Department is responsible for:

Facilitating with the Compliance Program Policy and applicable Company procedures; Providing effective training and education, including FWA to the workforce within 90 days of

hiring, appointment and/or contracting and annually thereafter; Maintaining a system to receive, record and respond to and track compliance questions or

concerns and reports of potential FWA from the workforce, including anonymous good-faith reports of potential or actual misconduct and maintaining confidentiality to the extent possible; and, enforcing a no-tolerance policy for retaliation or retribution against the workforce for good-faith reporting of noncompliance and FWA;

Ongoing oversight of all first tier, downstream and related entities activities; Conducting reasonable, well-documented inquiries into all compliance incidents and potential

FWA; Assisting in removing barriers within the organization to meeting compliance with the Program; Assisting in ensuring required changes to processes and/or internal controls are implemented to

maintain effective and appropriate compliance with the Program; Establishing and maintaining an effective continuous improvement process for identification,

correction and reporting of systemic problems related to compliance of the Program. Communicating changes to laws, regulations, and/or compliance requirements to impacted areas

and through the Compliance Committee; and Determining the appropriate area responsible for communication with regulatory agencies on

issues relating to the Company’s compliance.


Page 4 of 4

Management is responsible for:

Ensuring their respective areas are performing their compliance responsibilities according to the applicable requirements;

Operational oversight of the compliance process and program components; Developing and maintaining appropriate written policies and procedures for their areas of

accountability which incorporate compliance requirements; having internal controls in place for all affected business processes and effective monitoring, evaluation and improvement of all business processes;

Periodic training on internal processes related to functional responsibilities and FWA risks which include review of applicable state and federal laws, regulatory and sub-regulatory requirements, their relationship to the functional areas’ responsibilities including SOPs, desk procedures, internal controls and individual avoidance of unlawful or unethical occurrences;

Training of the workforce when there are changes to laws, regulations and accreditation or compliance requirements which impact the area’s responsibilities;

Promoting methods to report good-faith allegation of suspected or actual wrongdoing, including FWA, and the policy of non-intimidation and non-retaliation;

Developing and implementing a corrective action plan for a business area at the direction of the Compliance department; and

Reinforcing to the workforce its responsible for reporting to the CO any activity that it is believed, in good faith, may violate this policy.

CROSS-REFRENCED DOCUMENTATION: N/A

REVISION HISTORY Description of Change Author Effective Date

RELEVANT REGULATORY CITATIONS Document Title Code of Federal Regulations 42 C.F.R. §§ 422.503(b)(4)(vi), 423.504(b)(4)(vi) Medicare Managed Care Manual Chapter 21 – Compliance Program Guidelines Prescription Drug Benefit Manual Chapter 9 – Compliance Program Guidelines

Review/Approval Date: Signature on FIle ___________________________________ Signature 10/22/2015 __________________________ Approval Date

Policy and Procedure Name: Compliance Officer, Compliance Committee and High Level Oversight

Policy Number: COM-001






Page 1 of 4

PURPOSE:

The purpose of this policy and procedure is to ensure the effective implementation of the Care N’ Care compliance program by establishing a Compliance Committee. DEFINITIONS: N/A POLICY:

CNC will maintain a Compliance Officer, Compliance Committee and High Level Oversight. The Compliance Officer is tasked with the daily operations of the compliance program, is an employee of the organization, and reports to the Chief Executive Officer. In no event shall the Compliance Officer be an employee of CNC’s first tier, downstream and related entity (FDR), or serve dual roles in operational areas. The Compliance Committee advises the Compliance Officer and is primarily responsible for oversight and implementation of the Compliance Program. The Committee shall also provide leadership in establishing a culture of ethical conduct and compliance within the organization. High Level Oversight shall be conducted by the contracting entity’s Governing Body which shall exercise reasonable oversight of the implementation and effectiveness of the compliance program. PROCEDURE:

I. Mission – CNC is committed to conducting its business operations with honesty, integrity, and in full compliance with all applicable federal and state standards. The mission of the Compliance Officer and the Compliance Committee is to ensure CNC honors this commitment. Both the Compliance Officer and Compliance Committee fulfills its mission by:

A. Overseeing implementation and execution of the Corporate Compliance Program B. Providing leadership to the organization in the areas of regulatory compliance and ethical

conduct. C. Providing guidance to employees and others for dealing with potential compliance issues.

II. Authority – The Compliance Officer and Compliance Committee is authorized to fulfill its mission

by, and is accountable directly to, the CNC Board of Directors.The Compliance Officer shall report on a recurring basis directly to the governing body of the organization on activities/status of the Compliance Program, including issues identified, investigated, and resolved.

III. Membership – The Compliance Committee membership shall consist of the Compliance Officer, Chief Executive Officer and/or Chief Operating Officer, Director of Operations, Director of Clinical Pharmacy Services, Director of Quality and other management staff with the responsibility for key departments or functions within the organization.

Care N’ Care, COM-001, Compliance Officer, Compliance Committee and High Level Oversight ________________________________________________________________________________

Page 2 of 4

o The Compliance Committee is a senior oversight body. Members must be capable of evaluating and addressing issues affecting all levels and areas across the organization, as well as their specific areas of direct authority.

o Membership considerations, including the addition and removal of committee

members, can be made by any committee member at any time. An assessment of the current membership representation shall be conducted on an annual basis.

IV. Committee Responsibilities – The primary responsibilities of the Compliance Committee include,

but are not limited to, the following:

o Assist and advise the Compliance Officer with development and implementation of the Corporate Compliance Program

o Analyze the organization’s industry environment, the legal requirements with which it must comply, and implementing the risk assessment, monitoring and auditing work plan.

o Assess existing policies and procedures that address the identified risk areas for possible incorporation into the Compliance Program. Policies and procedures will be updated, Medicare-specific, and reflect Medicare current laws (ACA False Claims Act requirement to report overpayments) and regulatory requirements. They will also reflect CNC’s operational practices.

o Work with CNC departments to develop standards of conduct and policies and procedures to promote compliance, describe compliance expectations, and detect potential violations.

o Recommend and monitor, in conjunction with the relevant departments, the development of internal systems and controls to carry out Medicare regulations and CNC’s standards, policies and procedures.

o Determine the appropriate strategy or approach to promote adherence to the Compliance Program and to allow employees and FDRs to ask compliance questions and report potential violations confidentially or anonymously (if desired), such as through hotlines and other fraud reporting mechanisms, without fear of retaliation.

o Develop a system to solicit, evaluate, and respond to complaints and problems. o Monitor internal and external audits and investigations for the purpose of identifying

troublesome trends and issues and implementing effective corrective and preventive actions.

o Develop innovative ways to implement appropriate corrective and preventive action. o Confer with the Compliance Officer on findings of internal compliance reviews,

recommendations, and follow-up actions to be taken on potential violations of standards, rules, regulations, and laws.

o Provide regular and ad hoc reports on the status of compliance with recommendations to CNC’s governing body.

o Support the Compliance Officer’s needs for sufficient staff and ensure that sufficient resources are committed to operation of the Compliance Program and all related policies, plans and activities.

o Ensure compliance training and education is effective and appropriately completed.

The Committee may also perform other functions as the concept of corporate compliance becomes part of CNC’s overall operating structure and daily routine.

V. Individual Member Responsibilities - The primary responsibilities of the individual members

include, but are not limited to, the following:

o Compliance Officer – The Compliance Officer will serve as co-chair of the Compliance Committee. As the focal point for day-to-day operations of the compliance program, the CO will ensure the committee is aware of the overall effectiveness of the Compliance Program, potential areas of risk, and


Page 3 of 4

mitigation/corrective action taken to address identified risks.

o Chief Executive Officer – As the senior executive member of the Committee, the CEO is primarily responsible for ensuring that the Committee is equipped and empowered to fulfill its mission.

o All Committee Members – Each Committee member is accountable and accepts

responsibility for the overall success and effectiveness of the Compliance Program. Each Committee member agrees to:

Actively contribute to the effectiveness of Committee meetings, as

described below. Diligently execute assigned duties and action items. Lead by example, and promote an organizational culture that emphasizes

regulatory compliance and values ethical conduct.

VI. Meetings A. Frequency - The Compliance Committee will meet bimonthly; more frequent meetings

will be scheduled if need arises. B. The Compliance Officer and/or delegate shall distribute the meeting agenda, draft

minutes from the previous meeting, and any other materials that require Committee review prior to the meeting.

C. Effectiveness - Committee members shall strive to make meetings as productive and time-effective as possible. Every effort shall be made to start and end meetings on time. Committee member agree to:

Regularly attends all Committee meetings. If a Committee member is unable to attend a scheduled meeting, he/she should notify the Compliance Officer in advance and, if appropriate, designate a representative to attend in his/her place.

Prepare for each meeting. This includes review of materials that have been distributed ahead of time (agenda, minutes from the previous meeting, etc.) and completion of assigned action items.

Actively participates in each meeting. CROSS-REFRENCED DOCUMENTATION: N/A

REVISION HISTORY Description of Change Author Effective Date Updated in compliance with Chapter 9 & 21 Lydia Cervantez January 8, 2014 Revised Policy Owner and Approver, updated Compliance Committee oversight and membership.

Nakia Smith September 1, 2015



Page 4 of 4

Review/Approval Date: Signature on File ___________________________________ Signature 10/22/2015 __________________________ Approval Date

Policy and Procedure Name: Delegation Oversight

Policy Number: DEL - 001




Approver’s Name: Wendy Karsten, CEO


Page 1 of 5

PURPOSE:

The purpose of this policy and procedure is to outline the delegation oversight activities of First Tier, Downstream and Related Entities (FDRs) that perform the Centers for Medicare and Medicaid Services (CMS) mandated functions on behalf of Care N’ Care Insurance Company, Inc. To oversee and monitor the provider network and delegated entities necessary to ensure services are provided in a timely fashion and are of a quality, which meets or exceeds accepted standards of practice. This policy applies to all individuals employed, contracted, or otherwise representing Care N’ Care and its subsidiaries and those of any FDRs or other business partners who participate in the administration of Care N’ Care’s Medicare Programs. This policy applies to all CNC employees and its affiliates which include the following:

Employees Board Members Physicians Vendors Temporary and Contract Employees Volunteers First Tier, Downstream and Related Entities

DEFINITIONS: Delegated Entity: An entity that is contracted with the plan sponsor to perform certain functions that otherwise would be the responsibility of the plan to perform under its CMS contract, including management and provision of services. A delegate may be a First Tier, Downstream or Related Entity (FDR). Delegation Oversight Committee (DOC): A subcommittee of the Compliance Committee responsible for ensuring that each delegate and vendor is reviewed and evaluated by UAM at least annually. The Committee includes voting and non-voting members and is charged with the routine and systematic evaluation of FDRs and ensures risk management of all FDRs. Downstream Entity: Any party that enters into an acceptable written arrangement below the level of the arrangement between an MA organization (and contract applicant) and a first tier entity. These written arrangements continue down to the level of the ultimate provider of health and/or administrative services. First Tier Entity: Any party that enters into a written arrangement with an MA organization or contract applicant to provide administrative services or health care services for a Medicare eligible individual. Related Entity: Any entity that is related to the MA organization by common ownership or control and, 1) performs some of the MA organization’s management functions under contract or delegation; 2) furnishes

Care N’ Care, DEL-001, Delegation Oversight ________________________________________________________________________________

Page 2 of 5

services to Medicare enrollees under and oral or written agreement; or 3) leases real property or sells materials to the MA organization at a cost of more than $2,500 during a contract period. Monitoring: Surveillance activities conducted during the normal course of operations and which may not necessarily be independent of the business area being monitored. Vendor: An entity that is contracted to perform a defined services that enhances or supports the organization functionality without independent judgment making on behalf of the plan (i.e. print vendor) POLICY:

Care N’ Care maintains ultimate responsibility for fulfilling the terms and conditions as set out in the contract with CMS, including all statutory and regulatory requirements. Care N’ Care evaluates the FDR’s ability to perform the delegated activities and monitors these activities at least annually to ensure the FDR’s compliance. Oversight includes confirmation of on-going compliance with CMS regulations, data accuracy and completeness, and validity of data generated and submitted as well as sub-regulatory guidance and State and Federal law. Care N’ Care is responsible for all data submitted to CMS, including data generated and/or reported by FDRs. Care N’ Care maintains a Delegation Oversight Committee (DOC), a subcommittee of the Compliance Committee, charged with the routine and systemic evaluation of FDRs. Care N’ Care will provide to its employees and FDRs, on an annual basis, communications regarding Compliance training, including but not limited to, the Care N’ Care Code of Conduct, Compliance Program, Fraud, Waste and Abuse (FWA) and Privacy/Security. Delegation oversight maintains a monitoring program for oversight of its First Tier, Downstream, and Related Entities (FDRs) to confirm ongoing compliance with these requirements.

PROCEDURE: FDR Oversight: Care N’ Care will identify at contracting the types of services a vendor is providing. All vendors that provide administrative services will be classified as a first tier, downstream or related entity for initial and annual delegated entity reviews. Care N’ Care will monitor activities performed by a FDR at a minimum of annually to ensure the FDR’s activities are being performed in accordance with CMS regulations. Care N’ Care will conduct an on-site audit as necessary to ensure that the FDR is capable of meeting the established performance standards of UAM, CMS, State and Federal regulations and other relevant accreditation bodies. Care N’ Care performs annual risk assessment to develop its FDR review calendar. Annual reviews of FDRs are performed in accordance with the results of the risk assessment performed and as necessary due to findings throughout the year. FDRs, as applicable, are required to validate the performance of OIG/SAM exclusion monitoring upon hire and monthly thereafter of their employees, temporaries, contractors, governing body members and downstream entities at the time of the review. Delegation Oversight Committee The Delegation Oversight Committee (DOC) is a subcommittee of the Compliance Committee responsible for ensuring that each FDR is review and evaluated by Care N’ Care at least annually. The committee includes voting and non-voting members and is charged with routine and systematic evaluation of FDRs and ensures risk management of all FDRs. An appointed chairperson will lead DOC meetings. A quorum will consist of 2/3 of the voting members. The DOC will meet at a minimum, four (4) times per year and on an ad hoc basis as needed for pre-delegation. If the DOC is unable to meet for any reason, Compliance will publish a quarterly report to update DOC members and to notify any action items as required.


Page 3 of 5

Responsibilities of the DOC include: Assurances that initial assessments of FDRs are conducted prior to contract execution to

determine entities’ operational capabilities to comply with the federal and statutory regulations.

Evaluation of ongoing FDR performance Recommendation of initial or continued contracting with entity based on its assessments

or evaluations of ongoing performance Adherence to delegation oversight policies and procedures Escalation of egregious findings to the Director of Compliance, Senior Management

and/or Legal Counsel as applicable Business Owners’ accountability on functions performed by the FDR

Pre-Delegation Prior to granting delegation to any delegated entity, Care N’ Care will perform a pre-delegation evaluation to determine the delegated entities ability to implement proposed delegated entities. Preliminary Notification of Prospective Delegation The contract owner, or requestor for delegation makes contact with the potential delegate regarding a prospective contract. The contract owner assesses if Care N’ Care and the entity agree to pursue delegation and makes initial contact with all appropriate areas and ensures proper approvals are in place. The Compliance department is notified of the prospective delegation at least 60 days prior to the potential “go-live” of the delegated function. The notification will include the following elements:

The services and/or functions to be performed by the delegated entity The services and/or functions to be performed by Care N’ Care The name of the entity contact person The phone, fax, and e-mail addresses of the entity contact person The mailing address of the entity, including all site locations The lines of business must be delegated The name and contact information of the contract owner The date of the anticipated contract implementation; proposed services levels

(performance standards) and reporting responsibilities of the delegated entity Sub-delegate information, if applicable

Delegation Oversight Committee Review and Pre-Delegation Assessment Once the pre-delegation request is received, the DOC will meet with the contract owner to determine the level of need for the delegated entity. Once approved by the committee, the Compliance Department will complete a pre-delegation assessment. The assessment shall consist of at a minimum:

Site visit Written review of the delegates understanding of the standards and delegated

tasks Staffing capabilities Performance Records and Personnel Credentials Exchange of documents Any other items/documents as needed and/or assigned by the delegation

oversight committee Each delegated entity will be subjected to a pre-delegation assessment. Any deficiencies found during the assessment will result in a corrective action plan (CAP). All assessment findings and CAPs will be communicated to the contract owner, the DOC and executive leadership as applicable. The Compliance department may recommend approval if the following criteria are met:

100% of the assessment elements are met, or 80% or more of the assessment elements are met AND a CAP has been

developed and/or set for implementation for the remaining deficiencies Recommendation for approval may not be made if there are any egregious

findings


Page 4 of 5

The DOC will determine if delegation is approved based on the reports from the pre-delegation assessment. The DOC will pend the consideration of the proposed delegation if the assessment shows 20% or greater deficiencies found. After the DOC consideration, the Compliance Department will contact the proposed delegated entity and provide the results of the assessment, findings and any corrective action plans. All CAPs must be satisfactorily resolved within the time frame approved by the DOC. Compliance will consult with the entity until all CAPs are resolved and will report status to the contact owner, DOC and leadership as applicable. In the event the CAP(s) is not timely and satisfactorily resolved, the DOC will be advised of status, at this time the DOC will determine if a CAP deadline extension will be granted. Once the CAP(s) have been remediated to the satisfaction of the Compliance Department, the results will be presented to the DOC for review and approval to delegate. Pre-Delegation Approval Following DOC approval of the delegation agreement and before the delegated entity performs any delegated service, the contract owner shall:

Facilitate execution of the delegation agreement by the appropriate Care N’ Care designee and the delegated entity

Provide the original fully executed delegation agreement to the Compliance Department

Upon Completion of the above, the delegated entity is considered approved to “go-live”

The contract owner schedules an orientation with the delegated entity which should include at a minimum:

Care N’ Care overview Care N’ Care responsibilities Compliance Requirements Education regarding Fraud, Waste and Abuse (FWA) Delegated Entity Responsibilities Delegated Services Type and frequency of reporting to Care N’ Care Type and frequency of reporting to regulatory agencies, CMS, etc. Process by which Care N’ Care evaluates the delegated entities performance Other topics as determined by Care N’ Care

Reporting The Compliance Department receives monitoring reports, as required. Reports can be received weekly, monthly and/or quarterly. Compliance can also request ad-hoc reports as necessary for monitoring and auditing purposes. All monitoring results will be communicated to the Compliance Committee and Senior Leadership on a quarterly basis. An annual monitoring activities summary will be included in the Annual Compliance Program evaluation that is presented to the Compliance Committee and the Board of Directors. CROSS-REFRENCED DOCUMENTATION: Compliance Risk Assessment Policy & Procedure Compliance Risk Assessment Tool Care N’ Care Charter – Delegation Oversight Committee

REVISION HISTORY Description of Change Author Effective Date Updated format, reference to new Compliance Risk Assessment P&P, process for reporting for meeting cancellations Updated FDR reporting frequency

Nichole Hageman 01/01/2018


Page 5 of 5

REVISION HISTORY Description of Change Author Effective Date descriptions

RELEVANT REGULATORY CITATIONS Document Title Medicare Managed Care Manual – Part C

Chapter 21 – Compliance Program Guidelines

Prescription Drug Benefit Manual – Part D

Chapter 9 – Compliance Program Guidelines


Policy and Procedure Name: Reporting Suspected Misconduct, Compliance Violations, Potential Fraud or Abuse and Privacy or Security Incidents




Review Date:12/15/2017



Page 1 of 4

PURPOSE This policy establishes a structure whereby Care N’ Care (CNC) Governing Body, Employees, and First Tier, Downstream and Related Entities (FDR) are able to report suspected misconduct or violations, in good faith, without fear of retaliation, or retribution. SCOPE This policy applies to all members of the board of directors, employees, first tier, downstream and related entities (FDRs), contractors, and agents of Care N’ Care Insurance Company, Inc. DEFINITIONS Abuse: Payment for items or services when there is no legal entitlement to that payment and the individual or entity has not knowingly and/or intentionally misrepresented facts to obtain payment. ComplianceLine: Contracted vendor that administers a reporting and case management system for potential compliance issues. ComplianceLine takes reports via phone or internet made either anonymously or confidentially and is available 24 hours a day, 7 days a week. First-Tier Entity: Any party that enters into a written agreement, acceptable to CMS, with a Medicare Advantage organization, Part D plan sponsor, or contract applicant (hereinafter referred to as a “Sponsor”) to provide administrative services or health care services for a Medicare eligible individual under the Medicare Advantage or Part D programs. Fraud - Knowingly and willfully executing, or attempting to execute, a scheme or artifice to defraud any health care benefit program or to obtain (by means of false or fraudulent pretenses, representations, or promises) any of the money or property owned by, or under the custody or control of, any health care benefit program. (18 U.S.C. § 1347). Downstream Entity: Any party that enters into a written arrangement, acceptable to CMS, below the level of the arrangement between a Sponsor and a first-tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services. Examples include, but are not limited to, mail order pharmacies, firms providing agent/broker services, agents, brokers, marketing firms, and call center firms. Related Entity: Any entity that is related to a Sponsor by common ownership or control and (1) performs some of the Sponsor’s management functions under contract or delegation; (2) furnishes services to Medicare enrollees under an oral or written agreement; or (3) leases real property or sells materials to the Sponsor at a cost of more than $2,500 during a contract period. Waste: The overutilization of services, or other practices that, directly or indirectly, result in unnecessary costs. Waste is generally not considered to be caused by criminally negligent actions but rather the misuse of resources. POLICY

Care N’ Care, COM-028, Reporting Suspected Misconduct, Compliance Violations, Potential Fraud or Abuse and Privacy or Security Incidents ________________________________________________________________________________

Page 2 of 4

A. Care N’ Care is committed to establishing a culture that promotes prevention, detection, and resolution of instances of conduct that do not conform to organizational policies, Code of Conduct, applicable federal and state laws or regulations.

B. All Care N’ Care Governing Body, Employees, and FDRs have the responsibility to promptly report, in good faith, any suspected Fraud, Waste, or Abuse, or suspected violations of any statute, regulation, or guideline, applicable to federal and/or state health care programs, of the Code of Conduct, or of Care N’ Care’s policies and procedures.

C. Every effort will be made to keep the identity of the individual reporting the violation confidential. However, total confidentiality cannot be guaranteed. For the highest level of confidentiality, reports should be made to the Compliance Line where the report can remain anonymous. If you choose to provide your name through the Compliance Hotline your identity will not be disclosed, up to the limits of the law. This means that Care N’ Care may be required to report actual violations of law and must also cooperate with legitimate government investigations which could ultimately compromise your identity.

D. Good faith reporting is an expected, accepted and protected behavior. Conduct intended to retaliate against an individual for making a good faith report, or to coerce an individual to make a false report is a violation of this policy. If you feel you may be the subject of any retaliation, retribution, harassment, or attempt to influence, you should immediately contact the Compliance Officer.

PROCEDURE

1. The Compliance Officer, in collaboration with the management team, shall ensure awareness of the

following compliance measure: a) Open communication between Employees and their manager, or supervisor, about any

questions regarding compliance. Managers and supervisors shall respond to any inquiry and/or refer the question to appropriate personnel.

b) All management personnel shall have an open-door policy that allows an Employee to present any suspected violation.

c) All Care N’ Care Members, Governing Body, Employees, and FDRs are responsible for promptly reporting suspected violations, in good faith, of any statute, regulation, or guideline, Fraud, Waste, or Abuse, applicable to federal and /or state health care programs, of the Code of Conduct, or of Care N’ Care’s policies and procedures, or other instances of misconduct.

2. The Compliance Officer, in collaboration with Human Resources, shall implement and publicize, in

writing, compliance measures, including, but not limited to:

1. Employee Handbook; 2. Code of Conduct; and 3. Compliance training.

3. Mechanisms for Reporting Suspected Misconduct, Compliance Violations, Potential Fraud or Abuse and Privacy and Security Incidents 1. A member of the Governing Body, Employee, or FDR may:

a) Report to a manager, supervisor or the Human Resources department. b) Report directly to the Compliance Officer or any member of the Compliance team at 1701

River Run, Suite 402 Fort Worth, TX 76107. Contact Nakia Smith by telephone at 817-632-3023 or by email at [email protected]

c) Email the designated compliance email box at [email protected] d) Call the Compliance Hotline at 1-844-760-5838. Reports made through the compliance

hotline can be made confidentially or anonymously, 24 hours a day, 7 days a week. The


Page 3 of 4

Compliance Hotline allows for anonymous reporting via the ComplianceLine website at www.mycompliancereport.com.

e) Report Privacy Issues to the Compliance Officer. Contact Nakia Smith by telephone at 817-632-3023 or by email at [email protected]

f) Report Security Issues to the NTSP Security Officer. Contact Franky Le by telephone at 817-529-8275 or by email at [email protected].

g) Submit a Suspected Fraud or Abuse Referral Form. This form is available on the Care N’ Care Shared drive and the Care N’ Care Website at www.cnchealthplan.com.

4. Information to Include when Making a Report:

a) When making a report, it is best to provide as much of the following information as possible: A description of possible violation or incident. When the possible violation or incident occurred. The person(s) involved. How you learned about the violation or incident Any evidence to support the above allegations. Knowledge of any other individual who may be able to provide further information

b) Reports of potential provider fraud, waste, and abuse should include the following:

Provider name, all known billing and tax identification numbers, and addresses. Type of provider involved in the allegation and the perpetrator, if an employee of the provider. Type of item or service involved in the allegation. Place of service. Nature of the allegation(s). Timeframe of the allegation(s). Narration of the steps taken and information uncovered during the screening process. Date of service and/or drug code(s). Beneficiary name, beneficiary Health Insurance Claim Number (HICN), address and

telephone number. Name and telephone number of the employee who received the complaint. Contact information of the complainant, if not the beneficiary. All documents pertaining to prior sanctions and/or compliance history and corrective actions

taken, if any. 5. Managers, or supervisors, who receive reports from Employees shall immediately report the

information to the Compliance Officer, or Designee. 6. Any information received by the Compliance Officer, designee, manager or via a Suspected Fraud,

Waste or Abuse Referral Form shall be handled in the same manner as calls received on Care N’ Care’s Compliance Hotline, in accordance with Policy COM-002: Compliance Hotline.

7. The Compliance Officer or Designee is responsible for reviewing all reports of suspected violations.

The Compliance Officer or Designee shall maintain, to as great a degree as practical, the confidentiality of the identity of any Employee who submits a report of suspected violation, as allowed by law.

8. The Compliance Officer or Designee shall conduct an investigation, in accordance with Policy COM-

012: Investigating & Responding to Potential Compliance Issues, and shall report findings to the Compliance Committee, the Board of Directors, regulatory and/or law enforcement agency, as deemed appropriate.

CROSS-REFRENCED DOCUMENTATION: COM-012, Investigating & Responding to Potential Compliance Issues COM-002, Compliance Hotline


Page 4 of 4

Care N’ Care Code of Conduct


RELEVANT REGULATORY CITATIONS Document Title Code of Federal Regulations 42 CFR Part 422.503(b)(4)(vi)(A) through (G) Code of Federal Regulations 42 CFR Part 423.504(b)(4)(vi)(A) through (G)

42 C.F.R. §423.501 U.S. Department of Health and Human Services (HHS), Office of Inspector General

Guidance for Submitting a Contractor Self Disclosure, April 2014

Review/Approval Date: Signature on File __________________________ Signature 03/20/2018__________________________ Approval Date

Policy and Procedure Name: CMS Self-Disclosure







Page 1 of 4

PURPOSE: The purpose of this policy is establish a process for self-disclosing incidences of significant Medicare program non-compliance to Care N’ Care’s Centers for Medicare & Medicaid Services (CMS) Regional Account Manager. This self-disclosing process ensures that corrective actions are taken timely when non-compliance incidents are identified. POLICY: Care N’ Care follows the guidelines and regulations set forth by the Centers for Medicare & Medicaid Services (CMS), regarding compliance to the Medicare Program and monitoring process for Part C and Part D programs. The Compliance Department oversees and implements an effective Compliance Program to prevent, detect, and correct Part C and Part D programs’ non-compliance. This policy encourages internal and external business owners to voluntarily identify, disclose, and correct non-compliance incidents to meet the Medicare program guidelines and regulations set forth by CMS. Self–reported non-compliance incidents reported to the Compliance Department are investigated and Corrective Action Plans (CAPs) issued and responded to, as promptly as the severity level assigned to the non-compliance incident allows, and as described in Care N’ Care Policy COM-005: Corrective Action Plan. PROCEDURE: A. Submitting a Self-Disclosure

1. The department Director, Manager, or delegate has twenty-four hours (24) hours (once an incident is identified) to Self-Disclose a non-compliance incident to the Compliance Department. In severe non-compliance incidents impacting and resulting in beneficiary harm, Non-Compliance Self-Disclosure Form (SDF) must be completed as soon as it is identified.

2. The department Director, Manager, or delegate must document the non-compliance incident

identified using the SDF and submit the completed SDF to the Compliance Department.

3. The SDF must be submitted electronically.

4. Depending on the severity of the incident being reported, the Compliance Department will review the submission and respond back within three to five (3-5) business days to the submitting party either accepting, or rejecting, the disclosure.

A. Required Information Related to the Self-Disclosing Incident

1. To Self-Disclose a non-compliance incident to the Compliance department, the

Care N’ Care, COM-029, CMS Self-Disclosure ________________________________________________________________________________

Page 2 of 4

submitting party must provide the following information in the SDF:

a. Contact information:

b. Submitter contact name, phone number, email, and address (for external submitters), and area of non-compliance (For example: Enrollment, Pharmacy, Customer Service, Sales, etc.).

c. A brief description/summary of the identified non-compliance incident, including specific time frames during which the internal or external party might have been out of compliance. Any applicable supporting documentation should be included.

d. A brief description of why the internal or external party believes they are out of compliance with the identified area.

e. Circumstances under which the non-compliance was discovered (For example: grievance, complaint, Audits, or through a data analysis), and actions taken, if any, to correct the non-compliance upon discovery of the incident.

f. A root cause analysis and the impact beneficiary harm, benefits, quality of care

posed by the incident disclosed with sufficient information to allow the Compliance department to assess the severity of the non-compliance incident or risk, and steps that should be taken to meet compliance.

g. If applicable, the dates, or range of dates, whereby the non-compliance was cured and if any claims or services were, or have been, impacted.

h. Remediating measures taken to prevent future non-compliance of that nature from reoccurring,

i. Monitoring steps and implementation time frames, including proof of remediation. (For example: employee training, enhancing internal control procedures, increased internal Auditing efforts, increased oversight by management, etc.)

j. A description of appropriate Member/provider notices, if applicable, provided with disclosure of the non-compliance incident.

B. Compliance Investigation & Corrective Action Plan (CAP)

2. Upon receipt of a self-disclosure submission, the Compliance department will begin its investigation of the disclosed information. The extent of the investigation will depend upon the severity of the incident and evidence or documentation provided with the SDF.

3. If additional non-compliance incidents are discovered during the investigation process,

that incident will be treated as a new non-compliance incident and the self-disclosing party will be required to complete a new SDF for that incident.

4. To facilitate the investigation process, Compliance will review and request additional

information and conduct interviews, if necessary, with the applicable parties/ departments. If additional information is requested based on the severity of the incident, the self-disclosing applicable parties/departments shall submit the requested information.

5. Once Compliance completes the initial investigation, the business owner will be provided

with initial findings and a request for CAP, if applicable which must be completed and


Page 3 of 4

responded to in accordance with Compliance Policy COM-005: Corrective Action Plan.

6. If the non-compliance is a result of a Grievance filing, Compliance will work with the Appeals & Grievances department with the final resolution for insertion into the Member Grievance file.

C. Findings Report

1. Once the investigation and CAP (if applicable) has been submitted, the Compliance

Officer will submit the non-compliance incident to the CMS Regional Account Manager including impact analysis and steps taken to correct the non-compliance, immediately, but no later than ten (10) calendar days.

2. Care N’ Care shall report the incident to CMS as soon as possible after its discovery.

3. The Compliance Officer, or Designee, will also submit the final, signed Non-Compliance

Self-Disclosure Form outlining the course of actions that included the accepted CAP, and continued Monitoring efforts to the accountable Director and report to Committees as applicable.

4. Compliance Issues that are self disclosed will be added to the tracking for pending self-

disclosed items to be submitted to CMS for a Compliance Program Audit.

ATTACHMENTS Non-Compliance Self-Disclosure Form CROSS-REFRENCED DOCUMENTATION:

RELEVANT REGULATORY CITATIONS Document Title Code of Federal Regulations 42 C.F.R. §§ 422.503 (b)(4)(vi)(G)

Medicare Managed Care Manual Chapter 9 Compliance Program Guidelines and Chapter 21 of

the Prescription Drug Benefit Manual

Code of Federal Regulations 42 C.F.R. §§423.504(b)(4)(vi)(G)


Review/Approval Date:


Page 4 of 4

Signature on File __________________________ Signature 03/20/2018 _________________________ Approval Date

Policy and Procedure Name: Compliance Program Effectiveness







Page 1 of 2

PURPOSE The purpose of this policy and procedure is to set forth Care N’ Care’s (“CNC”) process of measuring Compliance Program Effectiveness. DEFINITIONS Compliance Program: A comprehensive program that incorporates the fundamental elements identified by the state and federal governments and Care N’ Care as necessary to prevent and detect violations of ethical standards, contractual obligations, and applicable laws. Elements of the Compliance Program include standards, oversight, training, reporting, monitoring, enforcement, and remediation. The Compliance Program applies to Care N’ Care’s Board of Directors, employees, providers, contractors, first tier, downstream and related entities. First-Tier Entity: Any party that enters into a written agreement, acceptable to CMS, with a Medicare Advantage organization, Part D plan sponsor, or contract applicant (hereinafter referred to as a “Sponsor”) to provide administrative services or health care services for a Medicare eligible individual under the Medicare Advantage or Part D programs. Downstream Entity: Any party that enters into a written arrangement, acceptable to CMS, below the level of the arrangement between a Sponsor and a first-tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services. Examples include, but are not limited to, mail order pharmacies, firms providing agent/broker services, agents, brokers, marketing firms, and call center firms. Related Entity: Any entity that is related to a Sponsor by common ownership or control and (1) performs some of the Sponsor’s management functions under contract or delegation; (2) furnishes services to Medicare enrollees under an oral or written agreement; or (3) leases real property or sells materials to the Sponsor at a cost of more than $2,500 during a contract period. POLICY CNC’s Compliance Office with oversight from the Board of Directors is responsible for reviewing measurable evidence that the Compliance Program is detecting and correcting Medicare Program non-compliance on a timely basis. CNC’s Board of Directors will receive and evaluate data, which shows the Compliance Programs effort to reduce the risks of Program non-compliance and Fraud, Waste and Abuse (“FWA”). PROCEDURE

I. Care N’ Care shall use multiple methods to assist in measuring the overall effectiveness of

its Compliance Program.

Care N’ Care, COM-027, Compliance Program Effectiveness ________________________________________________________________________________

Page 2 of 2

II. The Compliance Officer shall conduct a self assessment at least annually utilizing the

Compliance Program Effectiveness Self Assessment Questionnaire.

III. Care N’ Care shall routinely monitor overall compliance effectiveness through at least

quarterly dashboard reports, issues of non-compliance, self assessment tools, audit and

monitoring results.

IV. At least annually, an independent auditor will conduct an audit of the effectiveness of the

Compliance Program.

V. Compliance will apply the CMS program Audit Best Practice and Common Findings when

reviewing the effectiveness of the compliance program.

VI. The Compliance Officer shall review the Compliance Effectiveness results and include in the

annual compliance workplan/audit plan as needed.

VII. Compliance shall present the Compliance Program Effectiveness audit results to the

Compliance Committee, Senior Management and Board of Directors.

ATTACHMENT: Compliance Program Effectiveness Self Assessment Questionnaire

REVISION HISTORY Description of Change Author Effective Date New Policy Implementation Nakia Smith 3/1/2016 Revised to show Independent third party auditor at least annually

Nakia Smith 6/1/2017

RELEVANT REGULATORY CITATIONS Document Title Medicare Managed Care Manual Chapter 21 and Prescription Drug Benefit Manual Chapter 9

50.6.5 – Audit of the Sponsor’s Operations and Compliance Program

Review/Approval Date: Signature on File __________________________ Signature 03/1/2016 __________________________ Approval Date

Policy and Procedure Name: Compliance Risk Assessment

Policy Number: COM - 026

Functional Business Owner’s Name: Nakia Smith, Compliance Officer



Approver’s Name: Wendy Karsten, CEO


Page 1 of 4

PURPOSE: To describe the annual risk assessment process Care N’ Care follows to identify specific areas vulnerable to Fraud, Waste, or Abuse (FWA) and potential compliance risk for its operational areas, first tier, downstream and related entities (FDR) and executive leadership. This assessment will establish a baseline of areas for monitoring, auditing or other work efforts as they relate to Medicare Compliance. This policy applies to all CNC employees and its affiliates which include the following:

Employees Board Members Physicians Vendors Temporary and Contract Employees Volunteers First Tier, Downstream and Related Entities

DEFINITIONS: Abuse – A provider practice that is inconsistent with sound fiscal, business, or medical practice, and results in an unnecessary cost to Care N’ Care, or in reimbursement for services that are not medically necessary or that fail to meet professionally recognized standards for health care. Compliance Committee – A committee that consists of executive’s officers, the Director of Compliance and legal counsel that oversee the implementation of Care N’ Care’s Compliance Program Downstream Entity – Any party that enters into an acceptable written arrangement below the level of arrangement between Care N’ Care and a first tier entity. These written arrangements continue down the level of the ultimate provider of health and/or administrative services First Tier Entity – Any party that enters into a written arrangement with Care N’ Care or contract applicant to provide administrative services or health care services for a Medicare individual. Fraud – An intentional deception or misrepresentation made by a person with the knowledge that the deception could result in some unauthorized benefit to himself or some other person. It includes any act that constitutes fraud under applicable Federal or State Law Related Entity – Any entity that is related to Care N’ Care by common ownership or control and performs some of Care N’ Care’s management function under contract or delegation, furnishes services to Medicare enrollees under and oral or written agreement, or leases real property or sells materials to Care N’ Care Waste – Overutilization of services, or other practices that, directly or indirectly, result in unnecessary costs to the Medicare Program. Waste is generally not considered to be caused by criminally negligent actions but rather the misuse of resources Office of the Inspector General (OIG) – Develops and distributes resources to assist the health care industry in its efforts to comply with the Nations’ fraud and abuse laws. Educate the public about fraud schemes. POLICY: The Compliance Department is responsible for completing the annual Risk Assessment to develop its internal audit and monitoring plan. Care N’ Care utilizes Care N’ Care utilizes the following

Care N’ Care, COM-026 Compliance Risk Assessment ________________________________________________________________________________

Page 2 of 4

resources to help identify potential risks poses to CNC and related entities. These include, but are not limited to, regulatory guidance, publications and evidence of CNC performance:

Office of Inspector General (OIG) Work Plan Medicare Managed Care Manual (MMCM), Chapter 21 Regulatory Auditing and Monitoring Activity CMS Communications and Regulatory Updates CMS Compliance/Enforcement Actions Delegated Functions

o CNC utilizes factors/criteria recommended by CMS to determine if an FDR can be assigned a delegated function. These include:

The function performed by the delegated entity Whether the function is something CNC is required to do or to provide under

its contract with CMS Beneficiary impact Access to beneficiary information or personal health information Decision making authority Fraud, Waste & Abuse

Operational Area Survey

PROCEDURE: Risk Assessment The Risk assessment is performed on an annual basis and consists of two parts. The first part, is comprised of source intake and review to include the resources listed above. The second part involves risk summary and prioritization. This includes:

Risk Summary – Each risk reviewed individually and groups like items to provide a comprehensive list of all identified risks

Risk Description – a description of the inherent risk factors as well as CNC specific risk exposure based on the information provided

Impact – Member impact Likelihood – A numeric value to demonstrate the likelihood of risk to occur Mitigation – Managed can identify mitigating factors (policies, systems, training, monitoring,

or other controls) for each identified risk. Total Risk Score – the total score is the product of the impact score, likelihood score and

mitigation rate Risk Scoring Impact: Member access and experience is a primary mission of the compliance function. In order to include this as a consideration when evaluating risk, this risk assessment considers member impact to determine risk level. Additionally, CNC considers potential impact to the organization as a factor when determining risk level in this category. As part of this risk assessment process, Compliance assigns a numeric value to quantify the level of impact to the member(s) and/or the organization, should the risk occur. The impact scale is outlined in the Risk Assessment Document. Likelihood: The Source Intake & Review section described in the Risk Assessment document considers key sources governing the MA-PD product, compliance and CNC performance. In that section, Compliance assigns a numeric value to demonstrate the likelihood of the risk occurring. To quantify the likelihood, Compliance totals the number of times the particular risk is listed in the Source Intake & Review Section. Each bolded item in the Resource Intake & Review section counts as one for purposes of calculating likelihood. Points may be added to the likelihood score based on information gathered from staff interviews and responses from the Compliance Part C and D Operational Survey – Risk Assessment. Mitigation: As part of the risk assessment survey, Compliance asks management and key staff to identify mitigating factors (policies, systems, training, monitoring, or other controls) for each identified


Page 3 of 4

risk. The information is used to mitigate the risk score. The volume and strength of these controls is used by Compliance to determine the mitigation rate. Total Risk Score: The total risk score is the product of the impact score, likelihood score, and mitigation rate. The impact score and likelihood score are multiplied, then that total is multiplied by the mitigation rate, which produces the final score. The Total Risk Score can fall into 1 of 4 possible categories as described in the table below:

Total Risk Score

Rating Description Definition

1‐26 Low The degree of risk appears reasonable; however, opportunities exist to further reduce risks through improvement of existing policies, procedures and/or operations. As such, further analysis should be performed by management and appropriate action should be taken to address the identified opportunities.

27‐63 Medium The degree of risk is undesirable and either does or could pose a moderate level of exposure to the organization or the specific area evaluated. As such, action is needed by management in order to address the noted concern in a timely manner to help reduce risks to a more desirable level.

64‐99 High The degree of risk is unacceptable and either does or could pose a significant level of exposure to the organization or the specific area evaluated. As such, prompt attention is required by management in order to address the noted concerns.

100‐125 Urgent The degree of risk is unacceptable and poses a significant level of exposure to the organization. As such, immediate attention is required by management in order to address the noted concerns.

Compliance Audit and Monitoring Plans Care N’ Care Compliance team develops their annual Audit and Monitoring plans based on findings from the risk assessment. Operational areas to audit and/or monitor are prioritized based upon the scores received. Delegates and Operational areas who perform a high number of CMS-required functions will inherently have high risk scores and may be automatically considered for audit. The Compliance Department quarterly re-evaluates the risk assessment to allow for the identification of areas that have either increased their risk score due to newly opened audits, CAPs or CMS notices or have reduced their risk score due to the completed corrections to audits, CAPs, and CMS notices. The Compliance Audit and Monitoring plans are revised based on the results of the re-evaluation to reflect current priority levels.

As part of their business agreement/contract, all FDRs are required to comply with routine audits, routine monitoring and to complete corrective actions in a timely manner issued upon the identification of non-compliance by Care N’ Care or an external auditing/monitoring vendor. The Compliance Work Plan identifies all monitoring reports for each FDR that are tracked by Compliance. Monitoring may be added at any time based on identified risks from compliance actions, monitoring, or audits. In addition, all Care N’ Care entities are monitored by their responsible operational area on an ongoing basis as part of normal operations to track and analyze trends to more promptly manage issues of non-compliance at the lowest level of detection.

Corrective Action Plans Any issues identified during monitoring activities may require correction via a Corrective Action Plan (CAP) and must be implemented timely and/or as specified in accordance with the contractual and delegation agreements.


Page 4 of 4

When areas on non-compliance are self-identified by the FDR outside of monitoring activities, all Care N’ Care FDRs are required to notify Care N’ Care immediately and take prompt action to cure the deficiency and validate the cure to prevent future recurrence.

Results Results of the Compliance Risk Assessment are presented to the Delegation Oversight Committee (DOC) to be used in the evaluation process as established by the DOC. Additionally, results are communicated to the Compliance Committee and Leadership as applicable. The Compliance Department will re-evaluate the risk plan based on internal changes including, but not limited to, staffing and organizational structure changes, internal audit results, and monitoring results. External changes such as regulatory changes, marketplace changes and CMS audit results will also prompt a re-evaluation of the risk plan.

CROSS-REFRENCED DOCUMENTATION: Corrective Action Plans Policy & Procedure – COM-005 Compliance Risk Assessment Document

REVISION HISTORY Description of Change Author Effective Date Updated to reflect new Risk Assessment process, updated policy format


RELEVANT REGULATORY CITATIONS Document Title Medicare Managed Care Manual Chapter 21 – Compliance Program Guidelines Prescription Drug Benefit Manual Chapter 9 – Compliance Program Guidelines


Policy and Procedure Name: Monitoring Excluded Individuals and Entities







Page 1 of 5

PURPOSE The purpose of this policy is to ensure that Care N’ Care Insurance Company, Inc. (CNC) and its first-tier, downstream, and related entities comply with federal regulations prohibiting the employment of, contracting with, or payment to any individual or entity that has been sanctioned, debarred, suspended, excluded, or otherwise deemed ineligible from participation in federal health care programs. SCOPE This policy applies to all members of the board of directors, employees, first tier, downstream and related entities (FDRs), contractors, and agents of Care N’ Care Insurance Company, Inc. DEFINITIONS Exclusion Lists: Consist of the Office of the Inspector General’s (OIG) List of Excluded Individuals /Entities (LEIE) and the General Services Administration’s (GSA), System for Award Management (SAM).

First-Tier, Downstream, and Related Entities (FDRs): First-Tier Entity: Any party that enters into a written agreement, acceptable to CMS, with a Medicare Advantage organization, Part D plan sponsor, or contract applicant (hereinafter referred to as a “Sponsor”) to provide administrative services or health care services for a Medicare eligible individual under the Medicare Advantage or Part D programs. Downstream Entity: Any party that enters into a written arrangement, acceptable to CMS, below the level of the arrangement between a Sponsor and a first-tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services. Examples include, but are not limited to, mail order pharmacies, firms providing agent/broker services, agents, brokers, marketing firms, and call center firms. Related Entity: Any entity that is related to a Sponsor by common ownership or control and (1) performs some of the Sponsor’s management functions under contract or delegation; (2) furnishes services to Medicare enrollees under an oral or written agreement; or (3) leases real property or sells materials to the Sponsor at a cost of more than $2,500 during a contract period. Ineligible Individuals and Entities: Ineligible Individuals and Entities includes any individual or entity that (a) is currently excluded, debarred, suspended, or otherwise ineligible to participate in the Federal Health care programs or in Federal procurement or non-procurement programs; or (b) has been convicted of a criminal offense that falls within the ambit of 42 U.S.C. § 1320a-7(a), but has not yet been excluded, debarred, suspended, or otherwise declared ineligible; or (c) is currently on the Office of Foreign Assets Control (OFAC) watch list of Specially Designated Nationals (SDN).

List of Excluded Individuals and Entities (LEIE): The LEIE is the list of individuals and entities that are excluded from participating in federally funded health care programs (e.g., Medicare, Medicaid, TriCare, Veterans programs, etc.), otherwise known as “Sanctioned Practitioners and Providers.” This list is maintained and posted by the Office of Inspector General (OIG).

Care N’ Care, COM-024, Monitoring Excluded Individuals and Entities ________________________________________________________________________________

Page 2 of 5

Medicare Opt-Out: The Medicare Opt-Out list is a list of those providers who “opted out” of the Medicare program and may provide covered care to Medicare beneficiaries only through private agreements with Medicare beneficiaries.

System for Award Management (SAM): (previously Excluded Parties List System (EPLS): is an electronic database maintained and posted by the General Services Administration containing the list of all parties suspended, proposed for debarment, debarred, declared ineligible, or excluded or disqualified under the non-procurement common rule by agencies, Government corporations, or by the Government Accountability Office. POLICY It is the policy of CNC to comply with all federal and state laws and regulations. CNC will conduct exclusion and debarment screening of its employees, members of its Board of Directors, (when acting on behalf of the Company), first tier, downstream and related entities (FDRs), temporary workers/contractors, and all agents of the Company acting on behalf of CNC. Screening will be performed upon hire and/or, appointment, contracting and monthly thereafter. PROCEDURE

Responsibility Action

Human Resources As part of the hiring process, HR will ensure all prospective employees (e.g., permanent employee, temporary employee, volunteer, consultant) are screened prior to employment by:

1. Requiring applicants to disclose whether they are ineligible.

2. Reviewing the Department of Health and Human Services Office of Inspector General List of Excluded Individuals and Entities (LEIE) or the System for Award Management (SAM) (formerly the Excluded Parties List System).

3. Maintaining confirmation that initial screenings have been completed.

4. On a monthly basis, provide an electronic listing of all current employees to the Compliance department for monthly screening.

CNC Administration Screening of Board/Committee members:

1. Before a prospective Board/Committee Member is elected, Administration shall submit candidates to the Compliance Department who will search the Exclusion Lists for the prospective Board member.

2. On a monthly basis, provide an electronic listing of all

current Board members to the Compliance department for monthly screening.

Contracting/Sales/Legal/Finance/ Care Management/Claims

CNC shall not contract, pay for services, equipment, or drugs prescribed by an individual or provider excluded from participating in federal programs. This applies to both health care and non-health care entities. Prior to contracting, payment, authorization of services Credentialing, Legal, Finance, Care Management and Claims shall:

1. Require vendors, including temporary/contractors to disclose whether they are ineligible.

2. Review the Department of Health and Human Services Office of Inspector General List of Excluded Individuals


Page 3 of 5

and Entities (LEIE) or the System for Award Management (SAM) (formerly the Excluded Parties List System).

3. Review the Medicare Opt-Out list, as required to comply with CMS regulations.

4. Maintain confirmation that screenings have been completed.

5. On a monthly basis, Accounts Payable and Sales, provide an electronic listing of all data files to the Compliance department for monthly screening.

Note: Claims, provider and pharmacy data files will be auto-loaded and compared to external exclusions databases by Compliance for monthly screening.

Compliance Office Conduct monthly screenings of the LEIE and SAM exclusion debarment lists to help ensure that no its employees, Board of Directors, first tier, downstream and related entities (FDRs), temporary workers, contractors, providers and all agents are listed as excluded or debarred by conducting the following:

1. On a monthly basis, files from each business unit will be uploaded via the CNC Exclusions database and compared to the specified exclusions list. The user interface will identify possible matches from each source, producing an exceptions report for final exclusion identification by the end user.

2. Files from the following business units will be processed: Accounts payable vendors, claims providers, contracted providers, employees, brokers, and board members. The interface will allow for the extraction and saving of data via multiple file types.

3. Claims, provider and pharmacy data will be auto-loaded from the data warehouse and compared to external exclusions databases.

4. Any potential matches identified in the cumulative screening process will be investigated by the Compliance Office, with assistance from the impacted business areas. The investigation may require the disclosure and use of additional identifiers (e.g., Social Security Number, Tax ID Numbers).

5. If an ineligible individual/entity is idenfitied in the exclusion and debarment verification process, the Compliance Office will work with Legal Counsel and the Chief Executive Officer for advice and direction on proceeding with an appropriate course of action. Appropriate action is determined on a case-by-case basis, considering all of the relevant facts and circumstances, but can include action up to and including withholding payment for services, request for reimbursement for payment already made, or prevention or termination of and engagement or a contract, and disclosure to CMS and/or DHHS Office of Inspector General.

6. Results of the monthly screenings will be conveyed to the senior management of the companies or departments with appropriate action to address the findings.

Compliance Office/ FDRs

1. Develop and implement policies and procedures that require the review of the LEIE and SAM (1) prior to the


Page 4 of 5

initial hire of employees and (2) monthly thereafter to ensure that no employees are excluded from Federal health care programs. The FDR must document such reviews.

2. FDRs and their employees, to whom CNCs core functions

are delegated must immediately disclose any exclusions or activities that makes them ineligible to perform work related directly or indirectly to Federal health care programs.

3. Compliance will perform appropriate monitoring and

auditing of these entities to ensure that they are fulfilling these requirements by requiring each FDR to sign an annual attestation and will review processes during delegation audits.

CROSS-REFRENCED DOCUMENTATION:

A list of all exclusions and their statutory authority are available on the Exclusion Authority website at: https://oig.hhs.gov/exclusions/authorities.asp.

The current LEIE is available on the OIG-HHS website at: http://exclusions.oig.hhs.gov/. Frequently asked questions (FAQs) and additional information on the LEIE is available at:

https://oig.hhs.gov/faqs/exclusions-faq.asp The SAM is available at the following link: https://www.sam.gov/portal/public/SAM/

ATTACHMENT: Exclusions Screening & Investigations Process Business Review Document – CNC Exclusions Screening Database


RELEVANT REGULATORY CITATIONS Document Title Code of Federal Regulations, 42 CFR 422.503(b)(4)(vi)(F)

Contract Provisions

Code of Federal Regulations, 42 CFR 423.504(b)(4)(vi)(F)

Contract Provisions

Medicare Managed Care Manual Chapter 21 and Prescription Drug Benefit Manual Chapter 9, § 50.6.8

OIG/GSA Exclusion

Code of Federal Regulations, 42 CFR, 405.440

Emergency and urgent care services

Review/Approval Date: Signature on File __________________________


Page 5 of 5

Signature 03/01/2016 __________________________ Approval Date

Policy and Procedure Name: Training and Education







Page 1 of 4

PURPOSE:

To ensure that all Care N’ Care (CNC) all employees, temporary employees, consultants, governing body members, and the organization’s first tier, downstream and related entities (FDRs) are equipped with the knowledge and skills to perform their duties in compliance with all applicable laws, regulations, requirements and company policies. SCOPE This policy applies to all members of the board of directors, employees, first tier, downstream and related entities (FDRs), contractors, and agents of Care N’ Care Insurance Company, Inc. DEFINITIONS: Abuse: Actions that may, directly or indirectly, result in unnecessary costs to the Medicare Program. Abuse involves payment for items or services when there is no legal entitlement to that payment and the provider has not knowingly and/or intentionally misrepresented facts to obtain payment. Abuse cannot be differentiated categorically from fraud, because the distinction between fraud and abuse depends on specific facts and circumstances, intent and prior knowledge, and available evidence among other factors. Downstream Entity: Any party that enters into a written arrangement, acceptable to CMS, below the level of the arrangement between a Sponsor and a first-tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services. Examples include, but are not limited to, mail order pharmacies, firms providing agent/broker services, agents, brokers, marketing firms, and call center firms. First-Tier Entity: Any party that enters into a written agreement, acceptable to CMS, with a Medicare Advantage organization, Part D plan sponsor, or contract applicant (hereinafter referred to as a “Sponsor”) to provide administrative services or health care services for a Medicare eligible individual under the Medicare Advantage or Part D programs. Fraud: Knowingly and willfully executing, or attempting to execute, a scheme or artifice to defraud any health care benefit program or to obtain (by means of false or fraudulent pretenses, representations, or promises) any of the money or property owned by, or under the custody or control of, any health care benefit program. Related Entity: Any entity that is related to a Sponsor by common ownership or control and (1) performs some of the Sponsor’s management functions under contract or delegation; (2) furnishes services to Medicare enrollees under an oral or written agreement; or (3) leases real property or sells materials to the Sponsor at a cost of more than $2,500 during a contract period. (See 42 C.F.R. §423.501). Waste: Overutilization of services, or other practices that, directly or indirectly, result in unnecessary costs to the Medicare program. Waste is generally notconsidered to be caused by criminally negligent actions but rather the misuse of resources.

Care N’ Care, COM-019, Training and Education _________________________________________________________________________________

Page 2 of 4

POLICY:

The Compliance and Human Resources department will collaborate to establish, implement and provide effective compliance and FWA training including code of conduct distribution to all employees including chief executive or other senior administrators, managers, governing body members, temporary employees, consultants, and FDRs, within 90 days of hire and annually thereafter per CMS requirements. The Compliance Officer or designee shall educate all new board members on the Compliance Program, no more than 90 days after appointment. PROCEDURE:

I. The CNC Compliance and Human Resources Department administers new-hire and annual

compliance training to all employees, contractors and board members via an online training portal (BridgeFront). Topics for annual and new hire training include, but are not limited to:

Compliance Program Overview – The compliance training program communicates an overview of

the processes to ask compliance related questions, request compliance clarification and report potential non-compliance issues. This training emphasizes confidentiality, anonymity, and non-retaliation for compliance related questions, or reports of potential non-compliance. The training also includes a review of the disciplinary guidelines for non-compliant or fraudulent behavior which results in mandatory retraining and may result in disciplinary action, including possible termination when such behavior is serious, repeated or when knowledge of a possible violation is not reported.

Health Insurance Portability and Accountability Act (HIPAA) – defines Protected Health

Information (PHI) and provides tips to safe-guard member and provider information in the workplace.

Healthcare Fraud, Waste and Abuse – defines potential red flags for identifying fraud, waste and

abuse, outlines the various laws and regulatory requirements used to fight violations of fraudulent activity.

Medicare 101 – foundation basics regarding the history of the Medicare program, the benefits provided by Medicare and associated program finances.

II. All training modules are reviewed and updated, as needed, at least annually, but more often if needed

to reflect changes to related laws, regulations, policy, or guidance.

III. The Human Resources Department, in conjuction with Compliance will monitor post-training testing and completion rates for training. All internal staff are considered to have passed training courses with a minimum of eighty percent (85%). Human resources will follow up with department management to ensure training courses are complete within given timeframes. The Human Resources Department maintains records of all training and education initiatives, including those that are computer based modules. Disciplinary actions are taken, as needed, to enforce completion of required training.

IV. Training records are maintained for a period of no less than ten (10) years and will include time, attendance, topic, certificate of completion, and test scores of any test administered.

V. Specialized Training In addition to general compliance and FWA training, Managers of specific operational areas shall provide their employees with specialized training relating to the regulatory requirements affecting their particular departmental duties. Operational areas shall deliver new hire training, training when there


Page 3 of 4

are significant changes to procedures, or refresher training when there is an upcoming annual event (e.g., Annual Enrollment Period). Compliance may develop and deliver specialized focused training in the event that there are issues or trends that have been identified. Topics covered and required attendees will be defined on a case by case basis. Examples of specialized training that may be developed include:

Handling Complaints, Grievances and Appeals Marketing to Medicare beneficiaries. Updated Medicare Regulatory Guidance FDR Compliance Program Requirements

VI. Training and Education Requirements for FDRs:

All CNC FDRs and their employees who have involvement in the administration or delivery of Parts C and D benefits are required to perform their contracted responsibilities in compliance with CNC policy, CMS regulatory requirements, and all applicable laws and regulations. CNC requires all FDRs to conduct their own compliance training (general and specialized), or

where there are sufficient organizational similarities, training and education for contracted entities will be developed and delivered in collaboration with CNC department managers that have established methods of contractor communication. All contracted entities shall receive sufficient training and education to enable them to understand and fulfill these requirements. FDRs and their employees must receive general compliance training within 90 days of contracting/hire and annually thereafter as a condition of employment.

FDRs and their employees must also undergo FWA training covering the topic listed in “Fraud,

Waste, and Abuse Training” above. FDRs that have met FWA certifications through enrollment into the Medicare program or accreditation as a durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) supplier are deemed to have met the FWA training and education requirement. No additional documentation beyond the documentation necessary for proper credentialing is required to establish that an employee or FDR or employee of an FDR is deemed. However, even if deemed for FWA training, FDRs employees still must have general and specialized compliance training.

All Medicare Programs FDRs that are not deemed through their enrollment into Original Medicare

are required to complete the CMS mandated FWA and Medicare Compliance Training posted on MLM. Certificates of completion must be maintained for all employees at the FDR that work on CNC Medicare Products. FDRs can access the CMS training module by visiting the CMS website at:

http://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/WebBasedTraining.html.

All CNC Agents/Brokers are required to complete training during the initial and annual sales

appointment process. CNC utilizes the AHIP process for training completion. In no event may an agent or broker be appointed or market to a beneficiary without completing training.

Providers are required to complete training within ninety (90) days of contracting, and annually thereafter. As outlined above, providers who have met the FWA certification requirements through enrollment into the Medicare program or accreditation as a Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) are deemed to have met the training and educational requirements for fraud, waste, and abuse. However, these providers still must receive general compliance training.

CNC requires the pharmacy benefits manager (PBM) to administer the training to its network

pharmacies.


Page 4 of 4

FDRs are required to retain evidence of training completion (e.g., training logs, employee certifications, etc.) for a period of no less than ten (10) years, and to make this evidence available to CNC and/or CMS, upon reques.

FDRs are asked to complete and submit an annual attestation to confirm training completion.


REVISION HISTORY Description of Change Author Effective Date Revised policy to include new processes around online training and FDR guidance.


Annual policy review; Add compliance training requirement for language for board members.




Policy and Procedure Name: Reporting Fraud, Waste and Abuse External Agencies







Page 1 of 7

PURPOSE:

To ensure timely and proper reporting to the appropriate entities in detecting and preventing suspected fraud, waste, and abuse (FWA), including but not limited to the:

U.S. Department of Justice (DOJ) and U.S. Department of Health & Human Services, Office of Inspector General (OIG)’s Health Care Fraud Prevention and Enforcement Action Team (HEAT)

Centers for Medicare & Medicaid Services (CMS)

Medicare Drug Integrity Contractor (MEDIC)

Texas Department of Insurance

DEFINITIONS: Fraud - means an intentional deception or misrepresentation that the individual knows to be false or does not believe to be true, and that the individual makes knowing that the deception could result in some unauthorized benefit to himself/herself or to some other person. Waste - is the inappropriate utilization and/or inefficient use of resources. Abuse - occurs when an individual or entity unintentionally provides information to Medicare which results in higher payments than the individual or entity is entitled to receive. FWA - within a plan or its first-tier, downstream, or related entitles may be discovered through a hotline, a website, a beneficiary complaint, during routine monitoring or self-evaluation, an audit, or by regulatory authorities. The reporting of potential fraud is an important mechanism for protecting Medicare beneficiaries from harm and the Medicare Trust Fund from FWA. Potential FWA may be reported to government authorities, such as the HEAT, CMS, MEDIC, DMHC, and/or DOI. BACKGROUND: In May 2009, the DOJ and OIG announced the creation of their joint Health Care Fraud Prevention and Enforcement Action Team (HEAT). HEAT’s mission is to do the following: (1) to marshal significant resources across government to prevent waste, fraud and, abuse in the Medicare and Medicaid programs and crack down on the fraud perpetrators who are abusing the system and costing us all billions of dollars; (2) to reduce skyrocketing health care costs and improve the quality of care by ridding the system of perpetrators who are preying on Medicare and Medicaid beneficiaries; (3) to highlight best practices by providers and public sector employees who are dedicated to ending waste, fraud, and abuse in Medicare; and (4) to build upon existing partnerships that already exist between the DOJ and the DHHS to reduce fraud and recover taxpayer dollars.

Care N’ Care, COM-015, Reporting Fraud Waste and Abuse _________________________________________________________________________________

Page 2 of 7

The Centers for Medicare & Medicaid Services (CMS) is another entity dedicated to preventing FWA and has created a Surveillance Marketing Allegation Response Team (SMART) to assist in the investigation of marketing violations. CMS strongly encourages Care N’ Care (CNC) to immediately self-disclose such violations to CMS and to be proactive in reporting any corrective action measures taken to respond to any violations.

CMS has also contracted with private organizations, called MEDICs, to assist in the management of CMS’ anti-fraud and abuse efforts. The MEDIC’s responsibilities include: investigating potential fraud in Part C and Part D; receiving and resolving fraud complaints (from beneficiaries, plan sponsors, other interested parties); referring fraud cases to law enforcement; responding to law enforcement requests for information; providing support to law enforcement through investigations and case development; performing data analyses (proactive and reactive); identifying program vulnerabilities; and sharing information with stakeholders (beneficiaries, plan sponsors, state and local agencies). CMS requires CNC to report potential instances of FWA to its designated MEDIC, Health Integrity, LLC. When MEDICs discover plan violations of criminal, civil or administrative law, they will refer them to the appropriate law enforcement entity.

Finally, the TDI have authority over how the insurance industry conducts business within Texas and is responsible for enforcing many of the insurance-related laws of the state. The TDI is responsible for handling the litigation needs of the State, representing it in actions to enforce the managed care laws. The DOI is foremost a consumer protection agency that aims to protect insurance consumers by regulating the industry’s practices. More specifically, the DOI actively investigates suspected fraud and violations of the Texas Insurance Code by licensees.

POLICY:

Care N’ Care (CNC) is strongly committed to the detection and prevention of FWA at the plan level, as well as within its first-tier entities, downstream entities, or related entities. CNC maintains ultimate responsibility for adhering to and otherwise fully complying with all applicable federal and state statutory, regulatory, and other requirements related to the delivery of the Medicare benefits, including the compliance plan requirements found at 42 C.F.R. § 423.504(b)(4)(vi)(H). CNC will work in an ongoing manner with the appropriate entities to detect and prevent FWA as is required by the CMS Prescription Drug Benefit Manual, Ch. 9 and 21– Part D and C Program to Control FWA. Furthermore, self-reporting plays a critical role in reducing FWA and maintaining program integrity. Therefore, CNC will self-report potential fraud discovered at the plan, first-tier entity, downstream entity, or related entity levels to the appropriate entities. In doing so, CNC may receive the benefits of voluntary self-reporting found in the False Claims Act and federal sentencing guidelines. Self-reporting offers plans the opportunity to minimize the potential cost and disruption of a full scale audit and investigation, to negotiate a fair monetary settlement, and to potentially avoid an OIG permissive exclusion preventing CNC from doing business with the Federal health care programs. CMS strongly encourages plans to immediately self-disclose marketing violations to CMS and proactively report any corrective action measures that they have taken to respond to any violations. Both the DOJ and the OIG also have longstanding policies favoring self-disclosure. The Provider Self-Disclosure Protocol for the DHHS OIG can be found at 63 Fed. Reg. 58,399-403 (1998). LAW & REGULATIONS RELATED TO FWA:

a. 42 CFR § 423.504(b)(4)(vi)(H) b. CMS Prescription Drug Benefit Manual, Ch. 9 and 21– Part D and C Program to Control FWA c. Anti-Kickback Regulations – 42 U.S.C.A. § 1320a-7b(b) d. Stark Law Amendments – 42 U.S.C. § 1395nn e. Mail and Wire Fraud – 18 U.S.C. § 1341 f. False Claims Act – 31 U.S.C. § 3729-33 g. HIPAA – 45 CFR, Part 164


Page 3 of 7

h. Provider Self-Disclosure Protocol – 63 Fed. Reg. 58,399-403 (1998) PROCEDURE:

A. Initiate Reasonable Inquiry

1. When the Compliance Officer becomes aware of the potential instance of FWA, s/he should initiate a reasonable inquiry immediately, but no later than two weeks from the date that the potential misconduct is identified.

2. If the Compliance Officer determines that CNC has adequate time, resources, and

experience to investigate the potentially fraudulent activity, he/she should initiate such an investigation to determine whether potential fraud or misconduct has occurred.

3. CNC must conclude investigations of potential misconduct within a reasonable time period

after the potentially fraudulent activity is discovered and complete a FWA Investigation Report form (see Attachment). If after conducting a reasonable inquiry it is determined that potential fraud or misconduct has occurred, the conduct must be reported to the appropriate entity or entities promptly, but no later than 30 days after the misconduct has been detected, unless an alternate timeframe is specified.

Additional instructions for reporting potential FWA to the MEDIC: To the extent that potential fraud is discovered at the first-tier entity, downstream entity, or

related entity levels, the Compliance Officer should report the conduct to the MEDIC sooner so that the MEDIC can help identify and address any scams or schemes.

If the Compliance Officer determines that CNC does not have adequate time, resources, or

experience to adequately investigate the potentially fraudulent misconduct, s/he should report the matter to the MEDIC within two weeks from when the potentially fraudulent or abusive activity is discovered.

B. Determine Which Entity (or Entities) to Report to: To be clear, a single incident may be reported

to multiple entities. A report should be made to each entity that has jurisdiction over the incident.

1. Health Care Fraud Prevention and Enforcement Action Team (HEAT):

Reports of FWA to the DOJ and OIG’s HEAT are made to the OIG. Such reports may include the following: false/fraudulent claims submitted to Medicare/Medicaid, kickbacks/inducements for referrals by Medicare/Medicaid providers, medical identity theft involving Medicare and/or Medicaid beneficiaries, door-to-door solicitation of Medicare/Medicaid beneficiaries, misrepresentation of Medicare private plans, abuse/neglect in nursing homes and other long term care facilities, and fraud/waste in American Recovery and Reinvestment Act grants. Reports of failure to safeguard medical information (i.e., HIPAA violations) should not be forwarded to the OIG, but rather the DHHS Office for Civil Rights. For additional examples of instances that should and should not be reported to the DHHS OIG, visit http://oig.hhs.gov/fraud/report-fraud/index.asp.

2. Centers for Medicare and Medicaid Services (CMS):

Potential internal and external marketing violations made known to CNC should be


Page 4 of 7

reported to CMS. CNC will complete the CMS Surveillance Marketing Allegation Response Team (SMART) Referral Form upon request, or upon suspected marketing misrepresentation warranting an investigation from CMS. If CMS contacts CNC in response to an allegation through the CMS Surveillance Module on HPMS, CNC will provide a thorough response to CMS within five business days, unless otherwise specified. The timeframe starts on the next business day following the receipt of the notification.

3. Medicare Drug Integrity Contractor (MEDIC):

Any suspected FWA in Medicare Part C or D should be reported to Health Integrity, LLC, CNC’s designated MEDIC. Fraud cases may involve beneficiaries, pharmacies, physicians or other providers, health plans, or other organizations. For specific examples, see the CMS Prescription Drug Benefit Manual, Ch. 9 § 70 or Pharmacy Policy and Procedure: Part D Program to Control FWA. In addition, cases meeting any of the following criteria should be reported to the MEDIC:

Potential criminal, civil, or administrative law violations; Allegations extending beyond the PDP/MAPD, involving multiple health plans,

multiple states, or widespread schemes; Allegations involving known patterns of fraud;

Pattern of fraud or abuse threatening the life or well-being of beneficiaries; or Schemes with large financial risk to the Medicare Program or beneficiaries.

4. Reporting to Texas Department of Insurance

The Compliance Officer should fill out a Request for Assistance Form within 60 days of determining that a contracted agent, broker, or field marketing organization (FMO) engaged in marketing misconduct.

C. Create Report - Unless otherwise specified, the Compliance Officer should develop a report that includes, to the extent available, the following:

Plan name, organization, and contact information for follow up Summary of the Issue

o Include the basic who, what, when, where, how, and why o Any potential legal violations

Specific Statutes and Allegations o List civil, criminal, and administrative code or rule violations, state and

federal o Provide detailed description of the allegations or pattern of fraud, waste, or

abuse Incidents and Issues

o List incidents and issues related to the allegations Background information

o Contact information for the complainant, the perpetrator or subject of the investigation, and beneficiaries, pharmacies, providers, or other entities involved

o Additional background information that may assist investigators, such as names and contact information of informants, relators, witnesses, websites, geographic locations, corporate relationships, networks.

Perspectives of Interested Parties o Perspective of Plan, CMS, beneficiary


Page 5 of 7

Data o Existing and potential data sources o Graphs and trending o Maps o Financial impact estimates

Recommendations in Pursuing the Case o Next steps, special considerations, cautions

D. Send Report – Once the above information is collected, it should be detailed in the appropriate

form, if applicable, and sent to the appropriate entity or entities:


i. Telephone (Hotline): 1-800-HHS-TIPS (1-800-447-8477) ii. Online: http://oig.hhs.gov/fraud/report-fraud/report-fraud-form.asp

iii. Fax: 1-800-223-8164; in order to accept submissions for review via facsimile,

the OIG Hotline requires a complaint to include a formal cover letter or the use of the downloadable complaint submission form available at http://oig.hhs.gov/fraud/report-fraud/hotline_complaint_submission_form.pdf.

iv. Email: [email protected]

v. Mail:

Office of Inspector General Department of Health & Human Services ATTN: HOTLINE PO Box 23489 Washington, DC 20026

2. Centers for Medicare and Medicaid Services (CMS)

Email: [email protected]

3. Medicare Drug Integrity Contractor (MEDIC): Reporting Forms:

MEDIC Compromised ID Report Form - Use this form only if reporting potential theft of a beneficiary’s HICN or a prescriber’s identifier, often called compromised identifiers. Transmit this form via fax.

4. Texas Department of Insurance (DOI):

Telephone: 1-800-252-3439

Email: [email protected]

E. Follow-Up


An OIG analyst will review the report for relevance and completeness. Not all reports result in an investigation. A reviewing official may contact CNC for further information.


Page 6 of 7

The OIG Hotline is not authorized to disclose any information on records in its possession: the Hotline will not be able to confirm receipt of the report, respond to any inquiries about action taken on the report, or provide the status of reports. However, a request for pertinent Federal agency records may be made through the OIG Freedom of Information Act (FOIA) officer. A request may be submitted through the following means: Online: http://oig.hhs.gov/foia/submit.asp Mail:

OIG Freedom of Information Officer Cohen Building, Suite 1062 Department of Health and Human Services 330 Independence Ave, S.W. Washington, D.C. 20201 Fax: (202) 205-4030

When submitting a request, phrase the request in terms of a search for records pertinent to the report, not status. Wait at least six months before filing such a request. Fees may apply.

2. Medicare Drug Integrity Contractor (MEDIC):

The MEDIC will further investigate reports from CNC, develop the investigations, and make referrals to appropriate law enforcement agencies or other outside entities when necessary. To the extent it is feasible; the MEDIC will keep CNC informed of the development and status of the investigation. If the MEDIC determines a referral to be a matter related to non-compliance or mere error rather than fraud or abuse, it will be returned to CMS and/or CNC for appropriate follow-up. MEDIC investigators may contact CNC to discuss details or obtain written documents or other information.

If the MEDIC requests additional information, the Compliance Officer shall furnish the requested information within 30 days, unless the MEDIC otherwise specifies.

Additionally, the Compliance Officer should provide updates to the

MEDIC when new information regarding the matter is identified.

All cases referred to the MEDIC are to receive:

An acknowledgement letter within five days and A resolution letter once the case has reached a conclusion.

F. Record Keeping

Any information related to a potential fraud case should be retained for ten years. Specifically regarding providers, CNC must to maintain files on providers who have been the subject of complaints, investigations, violations, and prosecutions. This includes enrollee complaints, NBI MEDIC investigations, OIG and/or DOJ investigations, US Attorney prosecution, and any other civil, criminal, or administrative action for violations of Federal health care program requirements. CNC must also to maintain files that contain documented warnings (i.e., fraud alerts) and


Page 7 of 7

educational contacts, the results of previous investigations, and copies of complaints resulting in investigations.





Policy and Procedure Name: Monitoring and Auditing

Policy Number: COM - 13






Page 1 of 5

PURPOSE:

Establish protocols for internal monitoring and auditing processes to evaluate Care N’ Care (CNC) and its first tier, downstream and related entities (FDR) as applicable with Federal and State laws, CMS regulations and compliance with CNC’s Code of Conduct and Compliance Plan. This includes, but is not limited to:

Routine internal and external monitoring of compliance risk areas by business units

Periodic internal and external audits to confirm results of monitoring

External audits of entity as appropriate, including to evaluate CNC and first tier compliance with requirements

Evaluation of overall effectiveness of the Compliance Program DEFINITIONS & ACRONYMS: CMS – Centers for Medicare and Medicaid CFR – Code of Federal Regulations FDR – First Tier, Downstream and Related Entity PBM – Pharmacy Benefit Manager FWA – Fraud, Waste and Abuse OIG – Office of the Inspector General Monitoring – Monitoring is an ongoing check and measurement of performance to ensure processes are working as intended. Although auditing techniques may be employed, monitoring is often less structured than auditing. Monitoring is typically performed by department staff and communicated to department management. Monitoring efforts are generally more frequent and closer to real time than audit activities. Auditing – Auditing is a more formal, systematic review of past performance against applicable internal and external standards, using structured methodology and evaluation tools. Audits are typically performed by individuals outside of the department or function under review, such as the Compliance Department. POLICY:

Care N’ Care (CNC) will develop and implement appropriate monitoring and auditing processes to evaluate compliance with applicable laws, regulations and policies, and rapidly detect potential issues, problems or violations. This will include internal monitoring and audits, and as applicable, external audits to evaluate CNC and its FDRs compliance with regulatory requirements and the overall effectiveness of the compliance program. CNC will provide proactive, targeted efforts to prevent, detect, and respond to fraud, waste, and abuse issues. Compliance will develop monitoring and auditing work plans that address the risks identified during the annual risk assessment evaluation. The risk assessment will address all

Care N’ Care Monitoring and Auditing _______________________________________________________________________________

Page 2 of 5

business operational areas of CNC, including FDRs. CNC must have a system of ongoing monitoring and auditing that is reflective of its size, organization, risks and resources to assess performance in the areas identified as being at risk. The Compliance Committee will receive regular reports regarding performance, updates to systems, staffing, etc. Annual Risk Assessment – An effective monitoring and auditing program begins with an annual risk assessment. CNC will conduct a formal baseline assessment of the organizations major compliance and fraud, waste and abuse areas using the Risk Assessment Tool. Each operational area, including FDRs, must be assessed for the types and levels of risks the area presents to the Medicare program and to CNC. Factors in determining the risks associated with each area include but are not limited to:

Size of department Complexity of Work Training Past Compliance Issues Budget Regulatory Requirements

Risks identified by the assessment will be ranked to determine which risk areas will have the greatest impact on CNC and Compliance will prioritize the audit and monitoring plans accordingly. PROCEDURE:

A. Monitoring

1. A comprehensive risk assessment will be completed at least once a year, or more often if necessary. There will be an ongoing review of potential risks of non-compliance and fraud, waste, and abuse. Results of the risk assessment will be used to develop a monitoring work plan. The monitoring plan will be presented to the Compliance Committee for comment and approval.

2. Frequency – Monitoring should be performed on an ongoing basis. One should monitor a

performance indicator or service level agreement (SLA) with a frequency appropriate to the nature of the process and relative risk it represents (e.g., monitoring efforts can be periodic spot checks or tests on a daily/weekly/ monthly basis).

3. Follow-up and Corrective Action – Any monitoring result indicative of a potential issue,

problem or noncompliance must be adequately addressed. If necessary, the Department Manager should conduct a more thorough review to determine whether the monitoring result accurately reflects reality. Negative monitoring results may be reported to the Compliance Officer, Compliance Committee and Board of Directors, based on the scope and severity of the issue. When there are severe monitoring results, the Compliance Team and Department Manager will determine appropriate next steps, such as conducting a focused audit.

4. Monitoring Plan – Compliance, along with input and approval from the Compliance Committee, will develop and publish an annual monitoring plan. The plan is subject to review and revision throughout the year as new indicators for focused monitoring may emerge.

5. Reporting – Monitoring activities are directed by and reported back to management as an ongoing feedback mechanism to demonstrate that key controls in a process are working effectively. If completed in relation to the Compliance Monitoring Plan, formal communication may be made to plan leadership, the Compliance Committee and Board of Directors. Compliance will publish a monitoring report utilizing the CNC Monitoring Report Template.

B. Auditing


Page 3 of 5

1. A comprehensive risk assessment will be completed at least once a year, or more often if

necessary. There will be an ongoing review of potential risks of non-compliance and fraud, waste and abuse. Results of the risk assessment will be used to develop an auditing work plan. The auditing plan will be presented to the Compliance Committee for comment and approval.

2. The Compliance Department will conduct or facilitate operational and FDR audits sufficient to

evaluate CNC’s level of compliance with applicable laws, regulations and company policies. All operational and first-tier audits will be appropriately planned and structured according to established methodology, using an accepted tools and standards (e.g., one of the CMS Audit Guides).

3. Focused Audits – Compliance will arrange focused audits of specific departments, first tier

entities, or areas as necessary. Focused audits may result from risk assessment data, departmental monitoring, regulatory concerns (e.g. OIG Work Plan), employee incident reporting, or any other credible indicators.

4. Routine Audits – Compliance will periodically schedule routine audits to do spot checks of

CNC departments or FDRs, as necessary and at a frequency to be determined by the annual risk assessment.

5. FDR Specific Audits - CNC’s contractual agreements with first tier entities provide for routine

and random auditing. Where FDRs perform their own audits, CNC will request a copy of the FDR’s audit work plan and request the audit results. When corrective action is needed, CNC will ensure that corrective actions are taken by the entity. Reports that Compliance may review as part of FDR auditing and monitoring including but are not limited to:

Payment Reports Drug Utilization Reports Provider Utilization Reports Service Authorization Reports Customer Service Reports Utilization Reports

6. Follow-up and Corrective Action – Any audit result indicative of a potential issue, problem or

non-compliance must be adequately addressed. Based on the scope and severity of the issue, the Compliance Department and Department Manager will determine appropriate next steps. Confirmed problems or cases of non-compliance must be remediated with appropriate corrective action.

7. Audit Plan – Compliance, along with input and approval of the Compliance Committee, will

develop and publish an annual audit plan. The audit plan is subject to review and revision throughout the year as new indicators for focused audits may emerge. The audit plan includes:

Audits to be performed Audit schedules, including start and end dates Types of audit (desk, onsite or virtual) FDRs to be audited Person(s) responsible Final audit report due date Follow up activities from findings

8. Reporting – Audit findings that represent significant risk to the organization will be reported


Page 4 of 5

immediately to plan leadership, the Compliance Committee and the Board of Directors. Compliance will publish a formal audit report utilizing the CNC Compliance Audit Report Template.

Compliance will prepare a quarterly report of the status of the audit plan. The report includes but is not limited to:

Audit objectives Scope and methodology Results of current audits, including any detected issues or non-compliance

and resulting corrective action. Recommendations

The report will be presented to the Compliance Committee.

CROSS-REFRENCED DOCUMENTATION: COM -26 Compliance Risk Assessment P&P Risk Assessment Tool CNC Monitoring Report Template CNC Compliance Audit Report Template

REVISION HISTORY Description of Change Author Effective Date Revised P&P to consolidate both auditing and monitoring functions.


Risk Assessment process updated Nichole Hageman 3/16/2018




Page 5 of 5

Policy and Procedure Name: Investigating & Responding to Potential Compliance Issues







Page 1 of 4

PURPOSE

The purpose of this policy is to outline the steps for receiving, investigating and reporting potential compliance issues. SCOPE This policy applies to all members of the board of directors, employees, first tier, downstream and related entities (FDRs), contractors, and agents of Care N’ Care Insurance Company, Inc. DEFINITIONS ComplianceLine – contracted vendor that administers a reporting and case management system for potential compliance issues. ComplianceLine takes reports via phone or internet made either anonymously or confidentially and is available 24 hours a day, 7 days a week. Inconclusive – an investigation outcome in which a determination of whether a violation of the Code of Conduct, laws, regulations, and/or company policies occurred cannot be made. Potential Compliance Issues - issues that may be reported to the Compliance Officer, officers, directors, and first tier, downstream, and related entities regarding suspected violations of the Code of Conduct, laws, regulations, and/or company policies. Substantiated – an investigation outcome in which a violation of the Code of Conduct, laws, regulations, and/or company policies occurred. Unsubstantiated – an investigation outcome in which a violation of the Code of Conduct, laws, regulations, and/or company policies did not occur. POLICY

Care N’ Care (CNC) recognizes that violations of its Compliance Program, violations of applicable federal or state law or regulations, or other types of misconduct threaten its status as a reliable, honest, and trustworthy organization capable of participating in federal and private programs. Any report or evidence of suspected violations of law, regulations, or applicable standards of conduct can be reported to the Compliance officer, including anonymous reports using the ComplianceLine. CNC reviews and investigates all reports of potential compliance issues. CNC will treat all reports seriously and in a confidential manner, to the extent possible, and will take appropriate corrective action, including necessary reporting to appropriate governmental agencies, as a result of the investigation. All employees are required to cooperate fully in all compliance investigations. Failure to cooperate in an investigation may lead to disciplinary action. Intimidation or retaliation against any employee who cooperates in a compliance investigation is strictly prohibited and will lead to disciplinary action up to and including termination PROCEDURE

Care N’ Care, COM-012, Investigating & Responding to Potential Compliance Issues ________________________________________________________________________________

Page 2 of 4

I. All employees, consultants, temporary staff, first tier, downstream and related entities (FDRs) are given direction on how to report potential compliance issues during new hire orientation, at contracting and through compliance policy and procedures. The Code of Conduct provides instruction on the various mechanisms for reporting potential compliance issues, including how to report issues through the ComplianceLine system. Employees, consultants, temporary staff and FDRs can also report compliance issues directly to the Compliance Officer or any of the Compliance staff.

II. For reports that are made through the ComplianceLine system, the Compliance Officer receives an

email from the ComplianceLine Reporting system when a report is made. The Compliance Officer maintains an Excel database for reports received outside the ComplianceLine system.

III. For all reports, regardless of the route taken to report to Compliance Department, the Compliance

Officer reviews the report to determine if it is a Potential Compliance Issue. a. If it is not, a referral is made to the more appropriate person (i.e. Human Resources) for

follow up.

b. If the report includes a Potential Compliance Issue, the Compliance Officer will investigate the case. The Compliance Officer may consult with legal counsel on some cases if the report indicates that it is more appropriate for another party, including outside counsel, to investigate the case.

c. Depending upon the nature of the alleged violations, an internal investigation will include

interviews and a review of relevant documents. See Attachment A: Internal Investigation of Alleged Violations Checklist

d. The ComplianceLine reporting system has a feature where implicated persons included in a

report would not receive notices of such. Therefore, if the Compliance Officer is implicated and/or the subject of a case, the report would be forwarded to the Director of Human Resources, the back up for the Compliance Officer.

IV. Investigations Conducted by the Compliance Department:

The Compliance Officer may investigate the case or may assign a case to the Compliance Program Manager as Investigator. In either case, the documentation of all interviews, documents, and findings will be maintained in the case file.

Once the investigation is concluded, the Compliance Officer makes a determination. Please proceed to the section below titled “Compliance Officer Determination.

V. Investigations Conducted by Legal Counsel: For cases that are referred to Legal Counsel, the notes and records of counsel, as well as legal counsel’s report, shall be considered confidential and privileged communications from attorney to client. No board members, officer, employee or agent shall be authorized to release them to any outside agency without the written approval of the Chief Executive Officer and Legal Counsel. Upon receipt of counsel’s investigative findings, proceed to the section below titled “Compliance Officer Determination”.

VI. Compliance Officer Determination The Compliance Officer will determine if the investigation outcome is Substantiated, Unsubstantiated, or Inconclusive and note the determination in the case file.

a. If Unsubstantiated or Inconclusive, the case will be closed.


Page 3 of 4

b. If Substantiated, the Compliance Officer will make recommendations, including but not limited to the following actions:

Disciplinary Action of a person or persons, up to and including termination, to the CEO

and Director of Human Resources.

Operational process improvements and/or other necessary corrective actions to the leadership of the operational area.

o A corrective action plan will be created if any fraud and abuse or material violation of

this program is found to have occurred. Where applicable, a root cause analysis of the issue shall be conducted to identify gaps in CNC policies and procedures.

Review by Legal Counsel for a legal determination of potential violation of regulation, statute, or law.

o If Legal Counsel concludes that a violation of the law has occurred, a potential

compliance issues report may be made to the appropriate governmental agency. This potential compliance issues report may take the form of a voluntary disclosure to the Office of Inspector General of the Department of Health and Human Services or other compliance issues report, as counsel deems appropriate.

o The potential compliance issues report will be completed by the Compliance Officer

with the assistance of legal counsel and may contain documentation of the suspected violation, copies of key document, a log of witnesses interviewed and documents reviewed, and a summary of any disciplinary or corrective actions taken as a result of the investigation. The potential compliance issues report will be forwarded to the appropriate agency with a designation of the legal counsel who shall be the primary point of contact with agency until the matter is concluded.

c. Records of the investigation will contain documentation of the alleged violation, a description of the investigative process, copies of interview notes and key documents, a log of the witnesses interviewed and the documents reviewed, the results of the investigation, e.g., any disciplinary action taken, and the corrective action implemented

VII. The Compliance Officer will report summary data of the types and outcomes of Compliance Issues at

least annually to the Compliance Committee and to the Board of Directors as applicable. CROSS-REFRENCED DOCUMENTATION: COM-025 Communications Regarding Regulatory Changes ComplianceLine Procedures – Original Report

REVISION HISTORY Description of Change Author Effective Date Revised title from “Internal Investigations of Alleged Violations”.


Updated processes to include ComplianceLine reporting system.


RELEVANT REGULATORY CITATIONS Document Title


Page 4 of 4

Code of Federal Regulations 42 CFR Part 422.503(b)(4)(vi)(A) through (G) Code of Federal Regulations 42 CFR Part 423.504(b)(4)(vi)(A) through (G) U.S. Department of Health and Human Services (HHS), Office of Inspector General



Policy and Procedure Name: Effective Lines of Communication







Page 1 of 5

PURPOSE

The purpose of this policy is to implement the relevant provisions of 42 C.F.R. § 422.503(b)(4)(vi) and 423.504(b)(4)(vi) and Chapter 9 of the Medicare Prescription Drug Manual, and Chapter 21 of the Medicare Managed Care Manual, which requires sponsors to implement an effective compliance program, including procedures for effective lines of communication ensuring confidentiality between the Compliance Officer and the organization’s employees, managers, governing body, members of the Compliance Committee, and first-tier, downstream and related entities (FDRs). SCOPE This policy applies to all members of the board of directors, employees, first tier, downstream and related entities (FDRs), contractors, and agents of Care N’ Care Insurance Company, Inc. DEFINITIONS Abuse: Actions that may, directly or indirectly, result in unnecessary costs to the Medicare Program. Abuse involves payment for items or services when there is no legal entitlement to that payment and the provider has not knowingly and/or intentionally misrepresented facts to obtain payment. Abuse cannot be differentiated categorically from fraud, because the distinction between fraud and abuse depends on specific facts and circumstances, intent and prior knowledge, and available evidence among other factors. First-Tier Entity: Any party that enters into a written agreement, acceptable to CMS, with a Medicare Advantage organization, Part D plan sponsor, or contract applicant (hereinafter referred to as a “Sponsor”) to provide administrative services or health care services for a Medicare eligible individual under the Medicare Advantage or Part D programs. Downstream Entity: Any party that enters into a written arrangement, acceptable to CMS, below the level of the arrangement between a Sponsor and a first-tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services. Examples include, but are not limited to, mail order pharmacies, firms providing agent/broker services, agents, brokers, marketing firms, and call center firms. Related Entity: Any entity that is related to a Sponsor by common ownership or control and (1) performs some of the Sponsor’s management functions under contract or delegation; (2) furnishes services to Medicare enrollees under an oral or written agreement; or (3) leases real property or sells materials to the Sponsor at a cost of more than $2,500 during a contract period. Fraud: Knowingly and willfully executing, or attempting to execute, a scheme or artifice to defraud any health care benefit program or to obtain (by means of false or fraudulent pretenses, representations, or promises) any of the money or property owned by, or under the custody or control of, any health care benefit program.

Care N’ Care, COM-009, Effective Lines of Communication ________________________________________________________________________________

Page 2 of 5

Waste: Overutilization of services, or other practices that, directly or indirectly, result in unnecessary costs to the Medicare program. Waste is generally notconsidered to be caused by criminally negligent actions but rather the misuse of resources. POLICY

Care N’ Care will comply with all applicable federal and state regualtions regarding the establishment of a compliance program. Specifically, the Compliance department will adhere to standards for effective lines of communication, ensuring confidentiality between the Compliance Officer, members of the Compliance Committee, employees, managers and governing body, and CNC’s FDRs. Such lines of communication will be accessible to all, be user-friendly, and allow for anonymous and confidential good faith reporting of potential or actual compliance issues as well as suspected or actual violations relating to the Medicare program. In addition, CNC has adopted a policy of non-intimidation and non-retaliation and enforces a no tolerance policy for retaliation or retribution for good faith reporting of suspected non-compliance or fraud, waste and abuse concerns. PROCEDURE

I. Communication with the CEO and Board of Directors - The Compliance Officer will maintain open lines of communication with the CEO and Board of Directors regarding activities of the Compliance Committee and Compliance Department. This includes, but is not necessarily limited to, the following:

Regulatory Updates Ongoing reports involving Non-Compliance/Risks Compliance Program Compliance Work Plan Auditing & Monitoring efforts

II. Communication with the Compliance Committee – The Compliance Committee will meet bi-

monthly for the purpose of overseeing the Compliance Program. The Compliance Officer will keep the Committee informed and seek its guidance on compliance or ethics issues that represent potential risk to the organization.

III. Communication with Management – The Compliance Officer will maintain open lines of

communication with CNC management staff. This includes, but is not necessarily limited to, the following:

A. Compliance Program – All management staff shall receive a copy of the Compliance Program, including all significant revisions. Managers are responsible for understanding the Compliance Program and distributing a copy to all employees.

B. Program Guidance – Compliance will distribute statutory, regulatory and sub-regulatory guidance, including HPMS Memos and operational guidance through the compliance distribution list and direct direct communication (See COM-025 Communications Regarding Regulatory Changes).

Part C/D User Group Calls: The Compliance Department also tracks and

documents regulatory guidance through the CMS user group calls, and communicates this to business owners when applicable. Compliance sends out notices to business owners impacted by the content of the call.

CMS Educational Notices: The Compliance Department routinely disseminates

new compliance information to business owners and applicable FDRs. The notices summarize changes in CMS regulations, fraud alerts, CMS sanctions and


Page 3 of 5

enforcement actions against other health plans, CMS conferences, and industry/association training and conferences.

C. Issues Tracking Log – The Compliance Department tracks all compliance violations and

communications from CMS via the Issues Tracking Log. Compliance will track any action item associated with regulatory guidance and send out reminders to managers until all required actions are implemented.

IV. Communication with Employees - The Compliance Officer will maintain open lines of communication with employees at all levels of the organization. This includes, but is not necessarily limited to, the following:

A. Compliance Policies and Code of Conduct – All employees shall receive copies of the Compliance P&Ps including the Code of Conduct, at the time of employment and annualy thereafter. The Code of Conduct will be made available to delegated (first-tier, downstream, and related) entities. Employees shall be required to certify their receipt and understanding and acknowledgement.

B. Training and Education, Incident Reporting – Employee training and incident reporting

are key aspects of organizational communication. These components are addressed in separate Policies and Procedures.

V. Communication with First-tier, downstream, and related entities – The Compliance Officer

and Compliance Committee will develop and utilize mechanisms for communicating with first tier, downstream and related entities (FDRs), including health care providers, management service organizations, and brokers. Such communication will typically occur in collaboration with CNC departments or committees having established methods of contractor communication. Examples include Pharmacy Benefit Management, Marketing, Care Management (Utilization Management) and Claims Oversight. CNC will also communicate changes in relevant laws, regulations, and policies and procedures to FDRs.

A. FDRs are required to report any suspected and/or actual misconduct without fear of

intimidation or retaliation for good faith reporting in the Compliance Program. The FDR management shall communicate any suspected and/or actual misconduct to the Compliance Officer within a reasonable time after discovery or knowledge.

VI. Communication with Regulatory Authorities – CNC will maintain open communication with

regulatory authorities.

A. The Compliance Officer is CNC’s primary point of contact with regulatory authorities. Normal, ongoing communication with regulators will be routed through the Compliance Officer.

B. Individual departments may have such direct communication with regulatory authorities as is appropriate to fulfillment of their responsibilities. For example, Enrollment may be required to contact CMS regarding retro-active transactions; IT may be required to contact the CMS Help Desk regarding transmission of data; etc.

C. For elevated issues such as investigation, litigation, interaction with enforcement authorities, or any situation that poses similar risk to the organization, communication will be governed by, as appropriate:

Company policy, if applicable policy exists Direction from senior management Legal department

VII. Communication with Members - CNC will maintain open communication with our members and

educate our members on identifying and reporting noncompliance and FWA. Methods of communication with our members include newsletters, emails, meetings and information published on CNC’s website.


Page 4 of 5

VIII. Reporting to Compliance - As described in CNC’s Code of Conduct, employees, members of

the Board of Directors, and FDR are required to report suspected or detected noncompliance, and potential FWA. To accommodate the various topics and to establish preferred communication methods, CNC has developed several mechanisms for reporting potential or actual non-compliance and FWA issues.

A. Directly to the Compliance Officer or any member of the Compliance team at 1701 River

Run, Suite 402 Fort Worth, TX 76107. B. By sending an email to the compliance Officer or the designated compliance email box at

[email protected] C. Through the Compliance Hotline at 1-844-760-5838. Reports made through the

compliance hotline can be made confidentially or anonymously, 24 hours a day, 7 days a week.

D. The Compliance Hotline allows for anonymous reporting via the ComplianceLine website at www.mycompliancereport.com.

IX. Recording, Responding To, and Tracking Issues

A. Compliance will respond to, assess and investigate to the extent warranted, all compliance questions and reports of suspected or detected noncompliance or potential FWA and take appropriate action.

B. Compliance ensures the recording and tracking of reports of suspected or detected noncompliance or potential FWA which may be used to identify trends and potential systemic issues.

C. FWA case details are maintained in accordance with CNC’s Record Retention Policy. D. For issues that have an impact on personnel matters, Human Resources will be engaged

appropriately to handle compliance or FWA issues that impact such personnel matters.

X. Non-Retaliation – No employees will be discriminated or retaliated against in any way for bringing forward a question or good faith complaint. All employees are required to support both the letter and spirit of this commitment. Those who retaliate against an individual who makes a good faith effort to report a compliance or FWA issue will be subject to CNC’s corrective action policy.

XI. Disclosure to CMS – In the spirit of transparency, and pursuant to CMS requirement, the Compliance Department will disclose to the CMS Regional Office applicable incidents of noncompliance and FWA that impact beneficiary safety and access to care. Regular updates will be provided to the CMS Account Manager on the status and outcome of corrective action plans and any follow-up monitoring activities that may be done to ensure that the issue is not likely to reoccur. CNC will follow policy guidance for making self-disclosures regarding violations of federal criminal law or the civil False Claims Act to the U.S. Department of Health and Human Services (HHS)

CROSS-REFRENCED DOCUMENTATION: COM-025 Communications Regarding Regulatory Changes

REVISION HISTORY Description of Change Author Effective Date Revised language related to First Tier, Downstream and Related Entities per CMS guidance. Policy revisions made to compliance committee oversight, Annual Compliance Workplan and Communication



Page 5 of 5

REVISION HISTORY Description of Change Author Effective Date methods. Annual Review and Update, revised hotline language



(§50.1.5, 50.1.7) U.S. Department of Health and Human Services (HHS), Office of Inspector General



Policy and Procedure Name: Disciplinary Guidelines and Enforcement







Page 1 of 3

PURPOSE: The purpose of this policy is to provide the guidelines Care N’ Care Compliance follows for the timely, consistent and effective enforcement of the disciplinary standards when acts of misconduct are identified. Further, this policy describes the expectation for reporting of compliance issues and methods used to publicize disciplinary standards to all Care N’ Care (CNC) employees, contractors, agents, First Tier, Downstream and Related Entities (FDRs). DEFINITIONS: POLICY:

Care N’ Care utilizes corporate policies which reflect examples of misconduct, reporting expectations and types of disciplinary actions for timely reporting of compliance issues. Managers, governing body, employees and FDRs must participate in required annual training which describes policy expectations for reporting misconduct, assisting in the investigation of reported compliance issues and the disciplinary and enforcement standards applied when employees do not follow the Code of Conduct or HR policies. In addition to annual training, various methods are used to publicize disciplinary standards and enforcement actions, providing examples of non-compliant, or unethical behavior that employees and FDRs might encounter and the resulting enforcement action. To encourage good faith participation in the compliance program and describe the duty and expectation to report issues or concerns, the following methods are used to publicize disciplinary standards to employees and FDRs.

a. Embedded in the Code of Conduct b. Policies are posted on Care N’ Care’s shared drive; some Human Resources policies in ADP c. Employee Handbook provided to all new hires and available in ADP d. Compliance Posters g. Expectations and resources communicated through annual training courses to employees and FDRs

These disciplinary standards articulate expectations for reporting compliance issues and assist in their resolution, identify noncompliance or unethical behavior, and provide for timely, consistent, and effective enforcement of the standards when noncompliance or unethical behavior is determined. Enforcing Disciplinary Action: CNC employees and contractors who engage in illegal activity or improper conduct, including violation of the Code or any other CNC policy, are subject to disciplinary action including oral or written warning or reprimands, suspension, termination, financial penalties and potential reporting of this conduct to law enforcement. If employees or contractors self-report their own illegal actions or improper conduct, CNC will take such self-reporting into account in determining appropriate disciplinary action. PROCEDURE:

Care N’ Care, COM-007, Disciplinary Guidelines and Enforcement ________________________________________________________________________________

Page 2 of 3

A. Enforcement actions initiated under this policy shall be determined in accordance with existing Human Resource policies, procedures, contracts, and applicable federal and state laws. Allegations that an individual has engaged in noncompliant conduct may be investigated by Human Resources, respective Management and Compliance.

B. Care N’ Care enforces a no-tolerance policy for retaliation or retribution against any employee or

FDR who in good faith reports suspected non-compliance or fraud, waste and abuse (FWA). C. When it’s suspected or been identified that enforcement action is required, Human Resources will

coordinate with the management and may also consult with legal counsel for the appropriate disciplinary action to be taken.

D. Disciplinary action that may be taken for non-compliant behavior or misconduct by an employee is

dependent upon: • Severity of behavior • Impact on employees, the Plan and/or affiliates • Whether there was intent • Previous disciplinary history • Other facts specific to each situation

E. If it is confirmed the employee’s actions violate the Code of Conduct and termination is appropriate,

the employee’s manager will work with Human Resources to follow the applicable termination processes.

F. If an individual of the governing body is suspected of misconduct affecting the Plan, the Compliance

Officer will work closely with legal counsel to conduct an appropriate investigation of the issue identified and officer involvement to determine appropriate disciplinary action, which could include termination.

G. FDRs and agents are required to abide by all contractual obligations. Contracts include provisions for

revocation of contract in instances where CMS or Care N’ Care determines the delegated entity has not performed satisfactorily. In addition to failure to perform delegated functions properly, the FDR may be subject to disciplinary actions for: Failure to comply with, or violation of the Code of Conduct. Violation of any policy or procedure. Failure to participate in required Compliance and FWA trainings. Failure to report suspected non-compliance/FWA. Failure to assist in the resolution of reported compliance issues.

I. Records must be maintained for a period of 10 years for all compliance violation disciplinary actions, capturing the date the violation was reported, a description of the violation, date of investigation, summary of findings, disciplinary action taken and the date it was taken.

Care N’ Care, COM-007, Disciplinary Guidelines and Enforcement ________________________________________________________________________________

Page 3 of 3

CROSS-REFRENCED DOCUMENTATION: Care N’ Care, Code of Conduct NTSP Employee Handbook

RELEVANT REGULATORY CITATIONS Document Title Code of Federal Regulations 42 C.F.R. §§ 422.503(b)(4)(vi), 423.504(b)(4)(vi) Medicare Managed Care Manual Chapter 9 Compliance Program Guidelines and Chapter 21 of

the Prescription Drug Benefit Manual

Code of Federal Regulations 42 CFR §423.504(b)(4)(i), (vi), (A) - (G)

REVISION HISTORY Description of Change Author Effective Date Annual Review; update to existing policy to align with CMS program guidance. Added FDR Language. Ensure enforcement language aligned with Code of Conduct.



Policy and Procedure Name: Corrective Action Plans







Page 1 of 4

PURPOSE:

To correct actual or potential performance issues related to regulatory compliance or ethical conduct, reduce risk of recurrence, and promote a culture of continuous improvement. DEFINITIONS: Beneificiary Impact Analysis: (BIA) is an analysis completed when noncompliant conditions are found, to identify how many beneficiaries were adversely impacted by the noncompliance. Corrective Action Plan Request: Notices from the Compliance Department to an individual, department or FDR that a Corrective Action Plan is required. Corrective Action Plans (CAP): Document provided to the Compliance Department by an individual, department or FDR which identifies deficiencies requiring resolution and provides a detailed plan to resolve those deficiencies, a timeline to correct the deficiencies, and a person responsible for leading the effort to correct the deficiency. First-Tier Entity: Any party that enters into a written agreement, acceptable to CMS, with a Medicare Advantage organization, Part D plan sponsor, or contract applicant (hereinafter referred to as a “Sponsor”) to provide administrative services or health care services for a Medicare eligible individual under the Medicare Advantage or Part D programs. Downstream Entity: Any party that enters into a written arrangement, acceptable to CMS, below the level of the arrangement between a Sponsor and a first-tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services. Examples include, but are not limited to, mail order pharmacies, firms providing agent/broker services, agents, brokers, marketing firms, and call center firms. Related Entity: Any entity that is related to a Sponsor by common ownership or control and (1) performs some of the Sponsor’s management functions under contract or delegation; (2) furnishes services to Medicare enrollees under an oral or written agreement; or (3) leases real property or sells materials to the Sponsor at a cost of more than $2,500 during a contract period. (See 42 C.F.R. §423.501). Root Cause Analysis: A description of what caused or allowed the FWA, problem or deficiency to occur. POLICY:

The Compliance Officer (CO), as the executive accountable for day to-day operations of the Compliance Program, is responsible for the oversight, development and implementation of Corrective Action Plans as a means to maintaining compliance with regulatory standards both with internal operational areas and all First Tier, Downstream and Related Entities (FDR). Detection of potential or actual issues related to

Care N’ Care, COM-005, Corrective Action Plans _________________________________________________________________________________

Page 2 of 4

compliance, ethical conduct, or other measurable areas of performance shall result in the initiation of appropriate corrective action. PROCEDURE:

I. Basis for Corrective Action Plan (CAP) A. CNC monitors and audits internal operational areas and FDR performance through a variety of

mechanisms. The data and documentation reviewed is established based on operational area or the contractual functions performed.

B. Non-compliance with statutory, regulatory, contractual, policy or other requirements related to the

Compliance program may be identified from information obtained through audits, operational reports, reports of HIPAA, reports of Fraud, Waste and Abuse violations, operational monitoring, member and provider surveys, compliance or other investigations, appeals, grievances, trend analysis or any other reviews or audits.

C. In the event that CNC determines that an operational area or FDR has failed to comply with any

statutory, regulatory, contractual, policy or other requirements relating to the Compliance program, CNC may issue a request for CAP.

D. All CAPs are reviewed and approved by the CO prior to issuance to the deficient internal operational area or FDR. The CO and/or a member of the Compliance Team will meet with the department or FDR to review findings and provide expectations for timeframes of completion and content required for CAP submission.

E. Once a CAP is issued, the responsible individual, department, or FDR has ten (10) business days to respond and provide a plan to remediate the deficiency.

II. Corrective Action Plan General Requirements

A. Non-compliance with specific requirements that have the potential to cause significant Member

harm or place CNC’s contractual status with regulatory agencies in jeopardy will require an Immediate Corrective Action Plan (ICAP) on the part of the FDR or operational area. Significant Member harm exists if the non-compliance resulted in the failure to provide medical services or prescription drugs, causing financial distress, or posing a threat to the Member’s health and safety due to non-existent or inadequate policies and procedures, systems operations or staffing. All ICAPs will require completion of a Beneficiary Impact Analysis (BIA).

B. If the finding is an ICAP, a resolution or steps taken to immediately stop beneficiary harm is

required within three (3) calendar days from the issuance of the finding.

C. A standard CAP not resulting in a material finding should be resolved within 60 calendar days.

D. Departmental or FDR CAPs must effectively address the particular instance or issue of noncompliance and are tailored to reflect the severity of non-compliance identified through self reporting, monitoring or auditing.

E. A CAP must include, at a minimum, a root cause analysis and a detailed corrective plan. F. A root cause analysis identifies the source of the noncompliance, such as system defects, human

error, lack of staff knowledge or training, resource issues, etc. For internal compliance deficiencies, if the root cause is found to be related to human error, negligence, reckless disregard of company policies or procedures, and applicable laws and regulations, or willful misconduct, Compliance consults with leadership and/or Human Resources (HR).

G. A plan to correct the deficiency must include the following:


Page 3 of 4

Development of or revision to company and/or department policies or FDR policies as applicable,

Due date to accomplish each corrective action, Identification of responsible person for each element of the Corrective Action Plan, Education/training curriculum and dates, and, Short-term and long-term monitoring and reporting plans.

III. Compliance Officer (CO) Oversight and Reporting of Corrective Action Plans

Oversight A. CAPs are reviewed by the CO to ensure that all actions, deliverables and timeframes are

acceptable. The department or FDR is notified in writing of all required changes. Throughout the CAP process, the CO and Compliance Committee are provided status updates on a regular basis. The CO is provided biweekly status reports. Reports identify the status of all deliverables (in process, due, and overdue).

B. The CO issues a request for immediate response for all overdue responses to the responsible internal operational area or FDR via email. The responsible parties are given twenty-four (24) hours to provide a response as to the reason for the delay and the revised timeframe required to provide the deliverable.

C. If the response is provided within twenty-four (24) hours, the CO will review and respond with

either an approval of the extension or provide the modified deliverable due date. If the response is either not provided, or provided and subsequently not completed within the agreed upon modified timeframe, the CO will escalate the delinquency to the responsible VP for remediation.

D. With respect to FDRs, should an FDR fail to correct deficiencies or identified issues of

noncompliance, according to the criteria of the Corrective Action Plan(s) issued, CNC may seek to invoke provisions outlined in the contract.

Reporting A. The CO evaluates each CAP for self-reporting to CMS. If a CAP is found to have reached the

level requiring self-reporting, the CO will notify the CEO and CMS. The CO provides CAP ongoing status updates to the Compliance Committee and to the Board of Directors as applicable. Recommendations provided by either body are incorporated into the CAP and updates are provided to the responsible parties.

IV. Closing Corrective Action Plans A. Upon successful completion of a CAP, validation audits and/or increased monitoring of the

operational area or FDR are added to one or more of the following: Compliance Auditing work plan; and/or Compliance Monitoring work plan.

A. Documentation regarding Corrective Action Plans is filed and maintained by the

Compliance Department and in accordance with the requirements of the Document/Record Retention Policy.


REVISION HISTORY Description of Change Author Effective Date Revised to align with CMS audit Nakia Smith 10/1/2015


Page 4 of 4

REVISION HISTORY Description of Change Author Effective Date methodology and CAP process.



Policy and Procedure Name: Conflict of Interest







Page 1 of 5

PURPOSE:

The purpose of this policy is to ensure business decisions made on behalf of Care N’ Care are made with integrity and objectively, avoiding potential or perceived conflicts of interest. SCOPE This policy applies to all members of the board of directors, employees, first tier, downstream and related entities (FDRs), contractors, and agents of Care N’ Care Insurance Company, Inc. DEFINITIONS: Conflict of Interest: Competing personal and professional interests, whereby personal interests may be in conflict with professional roles and responsibilities.

Personal Interest: Motivated by personal gain, which may involve financial interests, personal, relationships or activities outside of work.

Financial Interest: Driven by the potential for personal financial gain. Financial interests may include stocks, bonds, securities and other investments in which an individual, or someone with whom they have a personal relationship, has a financial stake.

Personal Relationship: Any relationship other than a professional one. Personal relationships have the potential to impact professional objectivity. Examples are the relationship you have with a spouse, relative, friend, romantic partner, someone who lives in your household or with whom you have a financial connection.

Outside Activities: Engaging in activities outside work that appear to be in conflict with professional roles. Examples include serving on the board of a competitor, working for a competitor or having a financial interest (ownership or investment) in a competitor.

Employee: For purposes of this Policy, the term “employee” shall be assumed to include any officer, director, manager, or employee of CNC. POLICY:

CNC employees shall strive to avoid conflicts of interest at all times. Business decisions made by CNC employees must be, to the greatest practical extent, free of personal bias, interest or gain. When an employee’s personal interests present actual or potential conflicts with the interests of the organization, or appear with the objectivity and integrity of professional roles and responsibilities, such interests shall be disclosed. Conflict of Interest Disclosure Attestations are completed at time of hire/engagement and annually thereafter. PROCEDURE:

Care N’ Care, COM-004. Conflict of Interest _______________________________________________________________________________

Page 2 of 5

I. Key Standards of Conduct – All officers, directors, corporate members and employees have affirmative duties of loyalty and care to CNC. The duty of loyalty is the obligation to give primacy to the interests of CNC rather than personal concerns – to avoid self-dealing at the corporate’s expense. The duty of care is to act in good faith, in a manner that is reasonably believed to be in the best interests of CNC, with the care a reasonably prudent person would use in similar circumstances. Together, the duties of loyalty and care frame the requirements for proper conduct of business affairs and avoidance of conflicts of interest.

II. Screening – Members of CNC’s governing body and senior leadership must be effectively

screened for conflicts of interest through a certification, attestation or other means. Screening for conflicts of interest shall occur at the time of hire and annually thereafter. The screening for conflicts of interest should determine:

Whether the individual has reviewed CNC’s conflict of interest policy Whether the individual has disclosed any potential conflict of interests Whether the individual has obtained management approval to work despite any conflicts,

or has eliminated the conflict.

III. Disclosures, Assessments and Action – All Conflicts of interests or potential conflicts of interst shall be disclosed by the employee involved in the conflict (self-disclosed) or by employees who became aware of the situation. Conflicts should be disclosed within 30 days of the commencement of employment or at the time of contracting. Board Members shall disclose any potential conflicts of interest at the time of appointment. Disclosures shall be made to the Compliance Officer or CEO who can objectively assess the situation.

Each situation will be assessed on a case-by-case basis to determine if personal interests are compromising, or have the potential to compromise professional integrity. Not every situation involving competing personal and professional interests will warrant action. Some cases may warrant assessment from Legal Counsel. For conflicts of interest that warrant action, such action will be taken to protect the interests of the organization.

IV. Identifying Conflicts of Interest – The following activities illustrate types of potential actual conflicts

of interest that should be avoided and disclosed, as applicable, in accordance with this policy. The list is not all inclusive and is intended to provide guidance.

o Purchasing and Contracting - Purchasing and contracting decisions should be based on

vendor history, quality, service, price and other factors necessary to advance the interests of the organization. Individuals who have the ability to make or influence a purchasing or contracting decision should be free of personal bias or gain. Personal relationships with a potential vendor or contractor, financial interests, gifts or favors received and other forms of influence should be disclosed. When a conflict of interest warrants action, there may be exclusion from the selection, negotiation, purchasing and contracting process.

o Staffing - Staffing decisions should be based on academic credentials, skills,

experience, professional qualifications and achievements and other factors necessary to excel in the role. Individuals who have the ability to make or influence staffing decisions should be free of personal bias or gain. Staffing decisions involving immediate family members, relatives and other individuals where a personal relationship exists should be disclosed. When a conflict of interest warrants action, there may be exclusion from the screening, selection or hiring process, career development, advancement and other

o Gifts and Gratuities – CNC employees do not accept or give entertainment, favors, gifts,


Page 3 of 5

or any other things of material value that are designed or intended to obtain preferential treatment in a business transaction. Gifts and gratuities received should be disclosed and include, but are not limited to, discounts, loans, meals, entertainment, tuition, seminars and conferences.

Employees should never act in a manner that would place any person or

business in a position where they may feel obligated to make a gift, provide entertainment, or provide personal favors in order to do business with CNC in any way.

Kickbacks and bribes are unlawful and prohibited in all situations. Gifts of

nominal value generally may be accepted, unless a particular CNC department has a more restrictive policy. Gifts of any significant value (generally, over $200) should be declined or returned and should be reported to a supervisor or manager. Employees with questions or in need of guidance are encouraged to talk to their supervisor or manager, or contact the Compliance Officer.

o Corporate Assets – The privilege to access and use corporate assets is granted to

advance the interests of the organization and should not be abused for personal gain. Employees may not use CNC’s assets for personal benefit or personal business purposes.

Financial, personal and other incentives to misuse cash, property, equipment,

supplies and other company resources should be disclosed. Company expenditures for professional memberships and education should be

disclosed. When such expenditures do not enhance the performance of professional responsibilities for the organization, they may be considered waste and abuse of corporate assets.

Company discounts and other benefits extended to organizations and

individuals, including prospective and current customers, should be disclosed. When such benefits are based on personal relationships or for personal gain, and do not advance the interests of the organization, they may be considered waste and abuse of corporate assets.

Waste or abuse of corporate assets may result in disciplinary action.

o Information Integrity – The management and communication of information should be free of personal bias or gain. Employees may not disclose or use any confidential information, such as employee data, financial data, payer information, computer programs, and patient information, for their own personal or business purposes.

o Outside activities that may conflict with professional roles and responsibilities should be

disclosed and include, but are not limited to, serving on competitor boards, working for competitors, ownership in a competing business, investments in competitors, political activities and contributions, or activities that go against the core values of the organization.

Employees considering a second job, a consulting engagement, or healthcare-

related investment, should review their plans with their department director for approval. Approval in advance is required before beginning such a task.

As a general rule, employees should not have other employment or business


Page 4 of 5

interests if:

1. The employee appears to represent CNC. 2. The employee provides goods or services similar to those CNC provides

or is considering, 3. The other job interferes with their everyday duties as a CNC employee.

CNC employees may not work for, consult to, or have an independent business

relationship with any of the CNC’s service providers, vendors, competitors, or third party payers.

Participation in social or political activities is not restricted as long as such

participation is on an individual basis and not as representation of CNC. For example, CNC’s logo may not be associated with political or social club advertisements. Employees may not engage in activities or make representations that could be perceived as CNC endorsement of, or association with, a particular social or political group, activity, or position.

V. Circumstance not Expressly Addressed in this Policy - This policy cannot describe all possible situations in which conflict of interest involving CNC may arise. Therefore, CNC employees must use good judgment to avoid any appearance of impropriety. Appropriate circumstances may justify exceptions to the application of the policy. Employees who have questions about this policy or its application to a specific situation should seek advice from their supervisor or manager, the Compliance Officer, or Legal Counsel prior to taking action.

VI. First Tier, Downstream and Related Entities (FDRs) – CNC must also ensure that FDRs

effectively screen their governing bodies and senior leadership for conflicts of interest.

VII. Training and Documentation

o New Hires – All new hires receive a copy of the Employee Handbook which include the Code of Conduct and overview of the COI Policy.

o Ongoing – All staff receive COI policy on an annual basis. o All managers, directors and board members are required to review and sign the COI

Attestation and Disclosure form on an annual basis.


REVISION HISTORY Description of Change Author Effective Date Revised to include training, documentation and annual attestation process.


Revised policy owners and approvers Nakia Smith 9/1/2015

RELEVANT REGULATORY CITATIONS Document Title Code of Federal Regulations 42 C.F.R. §§ 422.503(b)(4)(vi), 423.504(b)(4)(vi)


Page 5 of 5

Prescription Drug Benefit Manual Chapter 9, Compliance Program Guidelines and Medicare Managed Care Manual Chapter 21, Compliance Program Guidelines

Centers for Medicare & Medicaid Services

Review/Approval Date: Signature on File___________________________________ Signature 01/31/2018__________________________ Approval Date

@CareNCare

Compliance Hotline Number: 1-844-760-5838

[email protected]

www.mycompliancereport.com

1701 River Run Ste. 402Fort Worth, TX 76107Attn: CNC Compliance Department

@CareNCareHealth

@CNCHealthPlan

Care N’ Care Insurance Co. Inc.

CONTACT INFORMATION

FOLLOW US

Compliance Officer:Nakia Smith, Director of Compliance

©2018 Care N’ Care Insurance Company, Inc. All rights reserved.

medicare compliance plan & program policies · the cnc board of directors, as the governing...

Documents